1# bpf program loader 2type bpfloader, domain; 3type bpfloader_exec, exec_type, file_type; 4typeattribute bpfloader coredomain; 5 6# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter 7allow bpfloader self:global_capability_class_set net_admin; 8 9r_dir_file(bpfloader, cgroup_bpf) 10 11# These permission is required for pin bpf program for netd. 12allow bpfloader fs_bpf:dir create_dir_perms; 13allow bpfloader fs_bpf:file create_file_perms; 14allow bpfloader devpts:chr_file { read write }; 15 16allow bpfloader netd:fd use; 17 18# Use pinned bpf map files from netd. 19allow bpfloader netd:bpf { map_read map_write }; 20allow bpfloader self:bpf { prog_load prog_run }; 21 22# Neverallow rules 23neverallow { domain -bpfloader } *:bpf prog_load; 24neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run; 25neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans }; 26neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; 27# only system_server, netd and bpfloader can read/write the bpf maps 28neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write }; 29 30dontaudit bpfloader self:capability sys_admin; 31