From 2623ebcf8e658f538a0ecf4b139bbd32dfd28b98 Mon Sep 17 00:00:00 2001 From: Chenbo Feng Date: Wed, 28 Mar 2018 16:51:26 -0700 Subject: [PATCH] Allow netutils_wrapper to use pinned bpf program The netutils_wrapper is a process used by vendor code to update the iptable rules on devices. When it update the rules for a specific chain. The iptable module will reload the whole chain with the new rule. So even the netutils_wrapper do not need to add any rules related to xt_bpf module, it will still reloading the existing iptables rules about xt_bpf module and need pass through the selinux check again when the rules are reloading. So we have to grant it the permission to reuse the pinned program in fs_bpf when it modifies the corresponding iptables chain so the vendor module will not crash anymore. Test: device boot and no more denials from netutils_wrapper Bug: 72111305 Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be --- private/bpfloader.te | 2 +- private/netutils_wrapper.te | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/private/bpfloader.te b/private/bpfloader.te index c0b499982..e6902316d 100644 --- a/private/bpfloader.te +++ b/private/bpfloader.te @@ -21,7 +21,7 @@ allow bpfloader self:bpf { prog_load prog_run }; # Neverallow rules neverallow { domain -bpfloader } *:bpf prog_load; -neverallow { domain -bpfloader -netd } *:bpf prog_run; +neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run; neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans }; neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; # only system_server, netd and bpfloader can read/write the bpf maps diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te index 9a5697e36..f56e8d861 100644 --- a/private/netutils_wrapper.te +++ b/private/netutils_wrapper.te @@ -18,6 +18,13 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; allow netutils_wrapper netd_socket:sock_file { open getattr read write append }; allow netutils_wrapper netd:unix_stream_socket { read getattr connectto }; +# For vendor code that update the iptables rules at runtime. They need to reload +# the whole chain including the xt_bpf rules. They need to access to the pinned +# program when reloading the rule. +allow netutils_wrapper fs_bpf:dir search; +allow netutils_wrapper fs_bpf:file { read write }; +allow netutils_wrapper bpfloader:bpf prog_run; + # For /data/misc/net access to ndc and ip r_dir_file(netutils_wrapper, net_data_file)