Allow executing bpfloader from init and modify rules

init needs to execute bpfloader as a one-shot service. Add sepolicy for the same. Also update old rules allowing init to fork/exec bpfloader and remove rules allowing netd to do so. Bug: 112334572 Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37 Signed-off-by: Joel Fernandes <joelaf@google.com>

Allow executing bpfloader from init and modify rules
147cf648 · Joel Fernandes · 4bf47882 · 147cf648 · 147cf648 · 147cf648
Commit 147cf648 authored Nov 29, 2018 by Joel Fernandes
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,8 +8,6 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
-allow bpfloader netd:fd use;
 # Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
@@ -21,7 +19,7 @@ allow bpfloader self:global_capability_class_set sys_admin;
 ###
 neverallow { domain -bpfloader } *:bpf prog_load;
 neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };

--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@ domain_trans(init, rootfs, charger)
 domain_trans(init, rootfs, healthd)
 domain_trans(init, rootfs, slideshow)
 domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
 recovery_only(`
  domain_trans(init, rootfs, adbd)
  domain_trans(init, rootfs, fastbootd)

--- a/private/netd.te
+++ b/private/netd.te
@@ -8,9 +8,6 @@ domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };