cut down bpf related privileges
This is driven by 3 things: - netd no longer needs setattr, since this is now done by bpfloader - nothing should ever unpin maps or programs - generic cleanups and additional neverallows Test: build, atest Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I881cc8bf9fe062aaff709727406c5a51fc363c8e
This commit is contained in:
Maciej Żenczykowski
parent
281afd81fa
commit
49c73b06a2
@ -3,26 +3,36 @@ type bpfloader, domain;
|
||||
type bpfloader_exec, system_file_type, exec_type, file_type;
|
||||
typeattribute bpfloader coredomain;
|
||||
|
||||
# These permission is required for pin bpf program for netd.
|
||||
allow bpfloader fs_bpf:dir create_dir_perms;
|
||||
allow bpfloader fs_bpf:file create_file_perms;
|
||||
allow bpfloader devpts:chr_file { read write };
|
||||
# These permissions are required to pin ebpf maps & programs.
|
||||
allow bpfloader fs_bpf:dir { search write add_name };
|
||||
allow bpfloader fs_bpf:file { create setattr };
|
||||
|
||||
# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
|
||||
# for retrieving a pinned map when bpfloader do a run time restart.
|
||||
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
|
||||
# Allow bpfloader to create bpf maps and programs.
|
||||
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
|
||||
|
||||
allow bpfloader self:capability { chown sys_admin };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# TODO: get rid of init & vendor_init
|
||||
neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
|
||||
neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
|
||||
neverallow domain fs_bpf:dir { reparent rename rmdir };
|
||||
|
||||
# TODO: get rid of init & vendor_init
|
||||
neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
|
||||
neverallow { domain -bpfloader } fs_bpf:file create;
|
||||
neverallow domain fs_bpf:file { rename unlink };
|
||||
|
||||
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
|
||||
neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
|
||||
neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
|
||||
|
||||
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
|
||||
|
||||
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
# only system_server, netd and bpfloader can read/write the bpf maps
|
||||
neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
|
||||
|
||||
# No domain should be allowed to ptrace bpfloader
|
||||
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
|
||||
|
||||
@ -63,7 +63,7 @@ allow netd sysfs_usb:file write;
|
||||
r_dir_file(netd, cgroup_bpf)
|
||||
|
||||
allow netd fs_bpf:dir search;
|
||||
allow netd fs_bpf:file { read write setattr };
|
||||
allow netd fs_bpf:file { read write };
|
||||
|
||||
# TODO: netd previously thought it needed these permissions to do WiFi related
|
||||
# work. However, after all the WiFi stuff is gone, we still need them.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user