Merge "Allow netutils_wrapper to use pinned bpf program" into pi-dev

6577b988 · TreeHugger Robot · Android (Google) Code Review · eaee65f0 · be9b15c5 · 6577b988
Commit 6577b988 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -21,7 +21,7 @@ allow bpfloader self:bpf { prog_load prog_run };
 # Neverallow rules
 neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
 neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps

--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -18,6 +18,13 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
 allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
 # For /data/misc/net access to ndc and ip
 r_dir_file(netutils_wrapper, net_data_file)