Fix sepolicy for bpf object

With the new patches backported to 4.9 kernels, the bpf file system now take the same file open flag as bpf_obj_get. So system server now need read permission only for both bpf map and fs_bpf since we do not need system server to edit the map. Also, the netd will always pass stdin stdout fd to the process forked by it and do allow it will cause the fork and execev fail. We just allow it pass the fd to bpfloader for now until we have a better option. Test: bpfloader start successful on devices with 4.9 kernel. run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest Bug: 74096311 Bug: 30950746 Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

Fix sepolicy for bpf object
6cd70c2f · Chenbo Feng · a6b8414b · 6cd70c2f · 6cd70c2f
Commit 6cd70c2f authored 7 years ago by Chenbo Feng
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
+allow bpfloader netd:fd use;
-dontaudit bpfloader netd:fd use;
 # Use pinned bpf map files from netd.
 allow bpfloader netd:bpf { map_read map_write };

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -749,8 +749,8 @@ with_asan(`
 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
 # the map after snapshot is recorded
-allow system_server fs_bpf:file write;
+allow system_server fs_bpf:file read;
-allow system_server netd:bpf { map_read map_write };
+allow system_server netd:bpf map_read;
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.