Merge "Allow netd to setup xt_bpf iptable rules"

cd175e0e · Treehugger Robot · Gerrit Code Review · cc4b960f · 5c95c168 · cd175e0e
Commit cd175e0e authored 7 years ago by Treehugger Robot Committed by Gerrit Code Review 7 years ago
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -20,7 +20,8 @@ allow bpfloader netd:bpf { map_read map_write };
 allow bpfloader self:bpf { prog_load prog_run };

 # Neverallow rules
-neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd } *:bpf prog_run;
 neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps

--- a/private/netd.te
+++ b/private/netd.te
@@ -10,3 +10,6 @@ domain_auto_trans(netd, clatd_exec, clatd)

 # Allow netd to start bpfloader_exec in its own domain
 domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;