Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
Showing
- private/bpfloader.te 28 additions, 0 deletionsprivate/bpfloader.te
- private/compat/26.0/26.0.ignore.cil 2 additions, 0 deletionsprivate/compat/26.0/26.0.ignore.cil
- private/file_contexts 1 addition, 0 deletionsprivate/file_contexts
- private/netd.te 3 additions, 0 deletionsprivate/netd.te
- public/netd.te 5 additions, 2 deletionspublic/netd.te
Loading
Please register or sign in to comment