Add sepolicy to lock down bpf access

Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
566411ed · Chenbo Feng · 8b049d5b · 566411ed · 566411ed · 566411ed
Commit 566411ed authored 7 years ago by Chenbo Feng
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+r_dir_file(bpfloader, cgroup_bpf)
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir  create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+# TODO: unknown fd pass denials, need further investigation.
+dontaudit bpfloader netd:fd use;
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,8 @@
 (typeattributeset new_objects
  ( adbd_exec
    bootloader_boot_reason_prop
+    bpfloader
+    bpfloader_exec
    broadcastradio_service
    cgroup_bpf
    crossprofileapps_service

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
 /system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
 /system/bin/stats                u:object_r:stats_exec:s0
 /system/bin/statsd               u:object_r:statsd_exec:s0
+/system/bin/bpfloader            u:object_r:bpfloader_exec:s0
 #############################
 # Vendor files

--- a/private/netd.te
+++ b/private/netd.te
@@ -7,3 +7,6 @@ domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,7 +7,7 @@ net_domain(netd)
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 r_dir_file(netd, cgroup)
-r_dir_file(netd, cgroup_bpf)
 allow netd system_server:fd use;
 allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -105,7 +105,7 @@ allow netd netdomain:fd use;
 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
 # give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+allow netd self:bpf { map_create map_read map_write };
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
@@ -132,6 +132,9 @@ neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
 # only system_server and dumpstate may find netd service
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
 # apps may not interact with netd over binder.
 neverallow appdomain netd:binder call;
 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;