1*e4a36f41SAndroid Build Coastguard Workertype bpfloader_exec, system_file_type, exec_type, file_type; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertypeattribute bpfloader bpfdomain; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# allow bpfloader to write to the kernel log (starts early) 6*e4a36f41SAndroid Build Coastguard Workerallow bpfloader kmsg_device:chr_file w_file_perms; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# These permissions are required to pin ebpf maps & programs. 9*e4a36f41SAndroid Build Coastguard Workerallow bpfloader bpffs_type:dir { add_name create remove_name search write }; 10*e4a36f41SAndroid Build Coastguard Workerallow bpfloader bpffs_type:file { create getattr read rename setattr }; 11*e4a36f41SAndroid Build Coastguard Workerallow bpfloader bpffs_type:lnk_file { create getattr read }; 12*e4a36f41SAndroid Build Coastguard Workerallow { bpffs_type -fs_bpf } fs_bpf:filesystem associate; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Allow bpfloader to create bpf maps and programs. 15*e4a36f41SAndroid Build Coastguard Workerallow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Workerallow bpfloader self:capability { chown sys_admin net_admin }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Workerallow bpfloader sysfs_fs_fuse_bpf:file r_file_perms; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workerallow bpfloader proc_bpf:file w_file_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Workerset_prop(bpfloader, bpf_progs_loaded_prop) 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerallow bpfloader bpfloader_exec:file execute_no_trans; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker### 28*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 29*e4a36f41SAndroid Build Coastguard Worker### 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Note: we don't care about getattr/mounton/search 32*e4a36f41SAndroid Build Coastguard Workerneverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write }; 33*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write }; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Workerneverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write }; 36*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr }; 37*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read }; 38*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } fs_bpf_loader:file { getattr read }; 39*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read }; 40*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read }; 41*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read }; 42*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read }; 43*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read }; 44*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } bpffs_type:lnk_file ~read; 47*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfdomain } bpffs_type:lnk_file read; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } *:bpf { map_create prog_load }; 50*e4a36f41SAndroid Build Coastguard Worker 51*e4a36f41SAndroid Build Coastguard Worker# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process. 52*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } fs_bpf_loader:bpf *; 53*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } fs_bpf_loader:file *; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Workerneverallow { 56*e4a36f41SAndroid Build Coastguard Worker domain 57*e4a36f41SAndroid Build Coastguard Worker -bpfloader 58*e4a36f41SAndroid Build Coastguard Worker -gpuservice 59*e4a36f41SAndroid Build Coastguard Worker -hal_health_server 60*e4a36f41SAndroid Build Coastguard Worker -mediaprovider_app 61*e4a36f41SAndroid Build Coastguard Worker -netd 62*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 63*e4a36f41SAndroid Build Coastguard Worker -network_stack 64*e4a36f41SAndroid Build Coastguard Worker -system_server 65*e4a36f41SAndroid Build Coastguard Worker} *:bpf prog_run; 66*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write }; 67*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Workerneverallow { coredomain -bpfloader } fs_bpf_vendor:file *; 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Workerneverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *; 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# No domain should be allowed to ptrace bpfloader 74*e4a36f41SAndroid Build Coastguard Workerneverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace; 75*e4a36f41SAndroid Build Coastguard Worker 76*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfloader } proc_bpf:file write; 77