566411edf27276e616113b82e3c9b1f617cd4d14 - LeafOS-Project/android_system_sepolicy

commit	566411edf27276e616113b82e3c9b1f617cd4d14	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Jan 02 15:31:18 2018 -0800
committer	Chenbo Feng <fengc@google.com>	Wed Jan 17 23:19:30 2018 +0000
tree	1a5a3a17136bb3ee34f226a5efda823099c145d0
parent	8b049d5b6f44f7e51109814bc3bdd9d2ee7faf2a [diff]

Add sepolicy to lock down bpf access

Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

private/bpfloader.te[Added - diff]
private/compat/26.0/26.0.ignore.cil[diff]
private/file_contexts[diff]
private/netd.te[diff]
public/netd.te[diff]

5 files changed

tree: 1a5a3a17136bb3ee34f226a5efda823099c145d0

prebuilts/
private/
public/
reqd_mask/
tests/
tools/
vendor/
Android.bp
Android.mk
CleanSpec.mk
definitions.mk
MODULE_LICENSE_PUBLIC_DOMAIN
NOTICE
OWNERS
PREUPLOAD.cfg
README