Allow netutils_wrapper to use pinned bpf program
The netutils_wrapper is a process used by vendor code to update the iptable rules on devices. When it update the rules for a specific chain. The iptable module will reload the whole chain with the new rule. So even the netutils_wrapper do not need to add any rules related to xt_bpf module, it will still reloading the existing iptables rules about xt_bpf module and need pass through the selinux check again when the rules are reloading. So we have to grant it the permission to reuse the pinned program in fs_bpf when it modifies the corresponding iptables chain so the vendor module will not crash anymore. Test: device boot and no more denials from netutils_wrapper Bug: 72111305 Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
This commit is contained in:
parent
c22f971195
commit
2623ebcf8e
@ -21,7 +21,7 @@ allow bpfloader self:bpf { prog_load prog_run };
|
|||||||
|
|
||||||
# Neverallow rules
|
# Neverallow rules
|
||||||
neverallow { domain -bpfloader } *:bpf prog_load;
|
neverallow { domain -bpfloader } *:bpf prog_load;
|
||||||
neverallow { domain -bpfloader -netd } *:bpf prog_run;
|
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
|
||||||
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
|
||||||
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||||
# only system_server, netd and bpfloader can read/write the bpf maps
|
# only system_server, netd and bpfloader can read/write the bpf maps
|
||||||
|
@ -18,6 +18,13 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
|
|||||||
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
|
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
|
||||||
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
|
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
|
||||||
|
|
||||||
|
# For vendor code that update the iptables rules at runtime. They need to reload
|
||||||
|
# the whole chain including the xt_bpf rules. They need to access to the pinned
|
||||||
|
# program when reloading the rule.
|
||||||
|
allow netutils_wrapper fs_bpf:dir search;
|
||||||
|
allow netutils_wrapper fs_bpf:file { read write };
|
||||||
|
allow netutils_wrapper bpfloader:bpf prog_run;
|
||||||
|
|
||||||
# For /data/misc/net access to ndc and ip
|
# For /data/misc/net access to ndc and ip
|
||||||
r_dir_file(netutils_wrapper, net_data_file)
|
r_dir_file(netutils_wrapper, net_data_file)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user