sepolicy: New sepolicy classes and rules about bpf object

am: 08f92f9c Change-Id: Ibf75df4bfde087c80b9135819edf319673103eb5

sepolicy: New sepolicy classes and rules about bpf object
7daa05f1 · Chenbo Feng · android-build-merger · 956e099e · 08f92f9c · 7daa05f1
Commit 7daa05f1 authored 7 years ago by Chenbo Feng Committed by android-build-merger 7 years ago
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@ inherits socket
 class unix_dgram_socket
 inherits socket

+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
 #
 # Define the access vector interpretation for process-related objects
 #

--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@ class packet_socket
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
+class bpf

 # sysv-ipc-related classes
 class sem

--- a/public/netd.te
+++ b/public/netd.te
@@ -107,6 +107,9 @@ allow netd netdomain:fd use;
 # give netd permission to read and write netlink xfrm
 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };

+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)