Merge "Move pf_key socket creation permission to system_server" am: d3d214482f

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1964902 Change-Id: I5a17509a858aa1fd7b068943a5cfd457518ddb27
2022-01-28 19:07:14 +00:00 · 2022-01-28 19:07:14 +00:00 · 6093f3febf
commit 6093f3febf
parent 0de1ba742a d3d214482f
2 changed files with 3 additions and 0 deletions
--- a/private/netd.te
+++ b/private/netd.te
@ -18,6 +18,7 @@ allow netd bpfloader:bpf { prog_run map_read map_write };

 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 # TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
 allow netd self:key_socket create;

 set_prop(netd, ctl_mdnsd_prop)
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1116,6 +1116,8 @@ with_asan(`
 allow system_server fs_bpf:dir search;
 allow system_server fs_bpf:file { read write };
 allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;

 # ART Profiles.
 # Allow system_server to open profile snapshots for read.