1*e4a36f41SAndroid Build Coastguard Worker# bpf program loader 2*e4a36f41SAndroid Build Coastguard Workertype bpfloader, domain; 3*e4a36f41SAndroid Build Coastguard Workertype bpfloader_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Workertypeattribute bpfloader coredomain; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# These permissions are required to pin ebpf maps & programs. 7*e4a36f41SAndroid Build Coastguard Workerallow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write }; 8*e4a36f41SAndroid Build Coastguard Workerallow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr }; 9*e4a36f41SAndroid Build Coastguard Workerallow fs_bpf_tethering fs_bpf:filesystem associate; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Allow bpfloader to create bpf maps and programs. 12*e4a36f41SAndroid Build Coastguard Workerallow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerallow bpfloader self:capability { chown sys_admin net_admin }; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Workerset_prop(bpfloader, bpf_progs_loaded_prop) 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker### 19*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 20*e4a36f41SAndroid Build Coastguard Worker### 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search 23*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr }; 24*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write }; 25*e4a36f41SAndroid Build Coastguard Workerneverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write }; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# TODO: get rid of init & vendor_init 28*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr }; 29*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create; 30*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read; 31*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write; 32*e4a36f41SAndroid Build Coastguard Workerneverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write }; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } *:bpf { map_create prog_load }; 35*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run; 36*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write }; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Workerneverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# No domain should be allowed to ptrace bpfloader 43*e4a36f41SAndroid Build Coastguard Workerneverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace; 44