selinux - netd - tighten down bpf policy

bpf programs/maps are now loaded by the bpfloader, not netd

Test: built/installed on crosshatch which uses eBPF - no avc denials

Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0af63e469b0835ba730715a34897f8f)

private/bpfloader.te

@@ -17,8 +17,8 @@ allow bpfloader self:global_capability_class_set sys_admin;
 ###
 ### Neverallow rules
 ###
-neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps

public/netd.te

@@ -62,8 +62,8 @@ allow netd sysfs_usb:file write;
 
 r_dir_file(netd, cgroup_bpf)
 
-allow netd fs_bpf:dir  create_dir_perms;
-allow netd fs_bpf:file create_file_perms;
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write setattr };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
@@ -156,9 +156,6 @@ neverallow {
     -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
-# only netd can create the bpf maps
-neverallow { domain -netd } netd:bpf { map_create };
-
 # apps may not interact with netd over binder.
 neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;