1type bpfloader_exec, system_file_type, exec_type, file_type; 2 3typeattribute bpfloader bpfdomain; 4 5# allow bpfloader to write to the kernel log (starts early) 6allow bpfloader kmsg_device:chr_file w_file_perms; 7 8# These permissions are required to pin ebpf maps & programs. 9allow bpfloader bpffs_type:dir { add_name create remove_name search write }; 10allow bpfloader bpffs_type:file { create read rename setattr }; 11allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate; 12 13# Allow bpfloader to create bpf maps and programs. 14allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; 15 16allow bpfloader self:capability { chown sys_admin net_admin }; 17 18allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms; 19 20set_prop(bpfloader, bpf_progs_loaded_prop) 21 22allow bpfloader bpfloader_exec:file execute_no_trans; 23 24### 25### Neverallow rules 26### 27 28# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search 29neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr }; 30neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write }; 31neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write }; 32 33# TODO: get rid of init & vendor_init 34neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr }; 35neverallow { domain -bpfloader } bpffs_type:file { create rename }; 36neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read; 37neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read; 38neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read; 39neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read; 40neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read; 41neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read; 42neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write; 43neverallow domain bpffs_type:file ~{ create map open read rename setattr write }; 44 45neverallow { domain -bpfloader } *:bpf { map_create prog_load }; 46 47neverallow { 48 domain 49 -bpfloader 50 -gpuservice 51 -hal_health_server 52 -mediaprovider_app 53 -netd 54 -netutils_wrapper 55 -network_stack 56 -system_server 57} *:bpf prog_run; 58neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write }; 59neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; 60 61neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *; 62 63neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *; 64 65# No domain should be allowed to ptrace bpfloader 66neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace; 67 68# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup 69# this should perhaps be moved to the bpfloader binary itself. Allow both. 70neverallow { domain -bpfloader -init } proc_bpf:file write; 71