bpf: Copy comment about bpffs labelling into bpf_helpers.h

I found this comment in aosp/2103424 helpful in figuring out the correct selinux domain for a newly added map. Test: documentation only change (cherry picked from https://android-review.googlesource.com/q/commit:dc66d3bb25fe4fbd4b74d6deea9de374e057bccd) Merged-In: I96c06ff33605c8ed3f2ae6e8810bbcdc8e66b51b Change-Id: I96c06ff33605c8ed3f2ae6e8810bbcdc8e66b51b Bug: 283523051
author: Patrick Rohr <prohr@google.com> 2023-05-10 21:48:23 +0000
committer: Cherrypicker Worker <android-build-cherrypicker-worker@google.com> 2023-05-22 08:46:26 +0000
commit: 172873f8d704f167c192b2238456805cdbdb185b (patch)
tree: 29ab5f10fd25106ce1703014ca8ba30b69639d60
parent: b73b5e5183dde337f6a8f0b2939c3e07d7bc9db8 (diff)
download: net-172873f8d704f167c192b2238456805cdbdb185b.tar.gz
1 files changed, 24 insertions, 0 deletions
diff --git a/common/native/bpf_headers/include/bpf/bpf_helpers.h b/common/native/bpf_headers/include/bpf/bpf_helpers.h
index 4939483a..20b5bf1d 100644
--- a/common/native/bpf_headers/include/bpf/bpf_helpers.h
+++ b/common/native/bpf_headers/include/bpf/bpf_helpers.h
@@ -103,6 +103,30 @@
 #define KVER(a, b, c) (((a) << 24) + ((b) << 16) + (c))
 #define KVER_INF 0xFFFFFFFFu
 
+/*
+ * BPFFS (ie. /sys/fs/bpf) labelling is as follows:
+ *   subdirectory   selinux context      mainline  usecase / usable by
+ *   /              fs_bpf               no [*]    core operating system (ie. platform)
+ *   /loader        fs_bpf_loader        no, U+    (as yet unused)
+ *   /net_private   fs_bpf_net_private   yes, T+   network_stack
+ *   /net_shared    fs_bpf_net_shared    yes, T+   network_stack & system_server
+ *   /netd_readonly fs_bpf_netd_readonly yes, T+   network_stack & system_server & r/o to netd
+ *   /netd_shared   fs_bpf_netd_shared   yes, T+   network_stack & system_server & netd [**]
+ *   /tethering     fs_bpf_tethering     yes, S+   network_stack
+ *   /vendor        fs_bpf_vendor        no, T+    vendor
+ *
+ * [*] initial support for bpf was added back in P,
+ *     but things worked differently back then with no bpfloader,
+ *     and instead netd doing stuff by hand,
+ *     bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
+ *     (and was definitely there in R).
+ *
+ * [**] additionally bpf programs are accessible to netutils_wrapper
+ *      for use by iptables xt_bpf extensions.
+ *
+ * See cs/p:aosp-master%20-file:prebuilts/%20file:genfs_contexts%20"genfscon%20bpf"
+ */
+
 /* generic functions */
 
 /*
author	Patrick Rohr <prohr@google.com>	2023-05-10 21:48:23 +0000
committer	Cherrypicker Worker <android-build-cherrypicker-worker@google.com>	2023-05-22 08:46:26 +0000
commit	172873f8d704f167c192b2238456805cdbdb185b (patch)
tree	29ab5f10fd25106ce1703014ca8ba30b69639d60
parent	b73b5e5183dde337f6a8f0b2939c3e07d7bc9db8 (diff)
download	net-172873f8d704f167c192b2238456805cdbdb185b.tar.gz