From 5c95c1684119604a8fccf0f264459b21ce214b9b Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Tue, 20 Mar 2018 15:42:44 -0700
Subject: [PATCH] Allow netd to setup xt_bpf iptable rules

To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.

Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305

Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
---
 private/bpfloader.te | 3 ++-
 private/netd.te      | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index fe3e648f9..c0b499982 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -20,7 +20,8 @@ allow bpfloader netd:bpf { map_read map_write };
 allow bpfloader self:bpf { prog_load prog_run };
 
 # Neverallow rules
-neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd } *:bpf prog_run;
 neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/netd.te b/private/netd.te
index 461d59b34..281105d04 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,3 +10,6 @@ domain_auto_trans(netd, clatd_exec, clatd)
 
 # Allow netd to start bpfloader_exec in its own domain
 domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;
-- 
GitLab