From bfa95fcdf04cdbe3f13ab7e52315067f7908d160 Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Mon, 5 Mar 2018 20:43:45 -0800
Subject: [PATCH] Fix sepolicy for bpf object

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d
---
 private/bpfloader.te     | 3 +--
 private/system_server.te | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 1caf95268..fe3e648f9 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
 
-# TODO: unknown fd pass denials, need further investigation.
-dontaudit bpfloader netd:fd use;
+allow bpfloader netd:fd use;
 
 # Use pinned bpf map files from netd.
 allow bpfloader netd:bpf { map_read map_write };
diff --git a/private/system_server.te b/private/system_server.te
index a512e5d26..d1571d692 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,8 +746,8 @@ with_asan(`
 
 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
 # the map after snapshot is recorded
-allow system_server fs_bpf:file write;
-allow system_server netd:bpf { map_read map_write };
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
 
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.
-- 
GitLab