Add permissions for bpf.progs_loaded property
Change-Id: If4e550e4186415c5a1088bb53b0755b69f92560a Signed-off-by: Joel Fernandes <joelaf@google.com>
This commit is contained in:
parent
147cf6482e
commit
b76a639956
@ -26,3 +26,5 @@ neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write
|
||||
|
||||
# No domain should be allowed to ptrace bpfloader
|
||||
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
|
||||
|
||||
set_prop(bpfloader, bpf_progs_loaded_prop)
|
||||
|
@ -18,6 +18,7 @@
|
||||
apexd_prop
|
||||
apexd_tmpfs
|
||||
biometric_service
|
||||
bpf_progs_loaded_prop
|
||||
content_capture_service
|
||||
content_suggestions_service
|
||||
cpu_variant_prop
|
||||
|
@ -11,3 +11,5 @@ domain_auto_trans(netd, clatd_exec, clatd)
|
||||
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
|
||||
# the map created by bpfloader
|
||||
allow netd bpfloader:bpf { prog_run map_read map_write };
|
||||
|
||||
get_prop(netd, bpf_progs_loaded_prop)
|
||||
|
@ -173,3 +173,5 @@ persist.device_config.global_settings.native_flags_health_check_enabled u:object
|
||||
|
||||
apexd. u:object_r:apexd_prop:s0
|
||||
persist.apexd. u:object_r:apexd_prop:s0
|
||||
|
||||
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
|
||||
|
@ -3,6 +3,7 @@ type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type bluetooth_a2dp_offload_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
type bpf_progs_loaded_prop, property_type;
|
||||
type bootloader_boot_reason_prop, property_type;
|
||||
type config_prop, property_type, core_property_type;
|
||||
type cppreopt_prop, property_type, core_property_type;
|
||||
@ -342,6 +343,7 @@ compatible_property_only(`
|
||||
-bluetooth_prop
|
||||
-bootloader_boot_reason_prop
|
||||
-boottime_prop
|
||||
-bpf_progs_loaded_prop
|
||||
-config_prop
|
||||
-cppreopt_prop
|
||||
-ctl_adbd_prop
|
||||
|
Loading…
Reference in New Issue
Block a user