commit 254ad0da3ac3709cbce81af2a6faeb23317afea3
author Chenbo Feng <fengc@google.com> Tue Aug 01 18:06:18 2017 -0700
committer Chenbo Feng <fengc@google.com> Tue Jan 02 11:52:33 2018 -0800
tree 0ac9145f0e6d037b29da973b53aa200deee68e6b
parent ff3b957e6373f06d038599ae5afc0ad9b4337bce

sepolicy: Allow mount cgroupv2 and bpf fs

Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0

public/file.te

diff --git a/public/file.te b/public/file.te
index e3ffa34..cdaaf22 100644
--- a/public/file.te
+++ b/public/file.te
@@ -60,6 +60,7 @@
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@
 type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
 type configfs, fs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -364,6 +366,7 @@
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
 allow file_type labeledfs:filesystem associate;

public/init.te

diff --git a/public/init.te b/public/init.te
index 450afd8..80e9e77 100644
--- a/public/init.te
+++ b/public/init.te
@@ -69,6 +69,10 @@
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index fa03dbd..ec18113 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,6 +7,7 @@
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 
 r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
 allow netd system_server:fd use;
 
 allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
+allow netd fs_bpf:dir  create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?