commit 09d4bb5aa16517adc22f4015b8076319aa9b4399
author Maciej Żenczykowski <maze@google.com> Sat Feb 22 02:54:32 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Feb 22 02:54:32 2020 +0000
tree 574e26134ff8cbb6312ef79f3d0a5ac932507309
parent e39f8d23ede078a10653da7ef78c3c3ec5e591cf
parent 49c73b06a21f8cd41b37dc6fb79160ef5969c360

Merge "cut down bpf related privileges"

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 8271add..249f3df 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,26 +3,36 @@
 type bpfloader_exec, system_file_type, exec_type, file_type;
 typeattribute bpfloader coredomain;
 
-# These permission is required for pin bpf program for netd.
-allow bpfloader fs_bpf:dir  create_dir_perms;
-allow bpfloader fs_bpf:file create_file_perms;
-allow bpfloader devpts:chr_file { read write };
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr };
 
-# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
-# for retrieving a pinned map when bpfloader do a run time restart.
-allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
 
 allow bpfloader self:capability { chown sys_admin };
 
 ###
 ### Neverallow rules
 ###
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
+
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
-# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 92c2ed1..8005406 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -63,7 +63,7 @@
 r_dir_file(netd, cgroup_bpf)
 
 allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write setattr };
+allow netd fs_bpf:file { read write };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.