Add search in bpf directory for bpfdomains

Bug: 203462310
Test: Ensure that associated BPFs can be loaded
Change-Id: I317a890abb518cf4ac47cd089e882315434342ce

private/bpfdomain.te

@@ -11,3 +11,4 @@ neverallow {
 # any domain which uses bpf is a bpfdomain
 neverallow { domain -bpfdomain } *:bpf *;
 
+allow bpfdomain fs_bpf:dir search;

private/gpuservice.te

@@ -54,7 +54,6 @@ neverallow gpuservice self:perf_event ~{ cpu kernel open write };
 
 # Needed for interact with bpf fs.
 # Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
 allow gpuservice fs_bpf:file { read write };
 
 # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).

private/lmkd.te

@@ -12,7 +12,6 @@ set_prop(lmkd, lmkd_prop)
 # Get persist.device_config.lmk_native.* properties.
 get_prop(lmkd, device_config_lmkd_native_prop)
 
-allow lmkd fs_bpf:dir search;
 allow lmkd fs_bpf:file read;
 allow lmkd bpfloader:bpf map_read;
 

private/mediaprovider_app.te

@@ -65,6 +65,5 @@ dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
 dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
 
 # bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
 allow mediaprovider_app fs_bpf:file read;
 allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };

private/netutils_wrapper.te

@@ -25,7 +25,6 @@ binder_call(netutils_wrapper, netd);
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
 allow netutils_wrapper fs_bpf:file { read write };
 allow netutils_wrapper bpfloader:bpf prog_run;
 

private/system_server.te

@@ -1133,7 +1133,6 @@ with_asan(`
 # allow system_server to read the eBPF maps that stores the traffic stats information and update
 # the map after snapshot is recorded, and to read, update and run the maps and programs used for
 # time in state accounting
-allow system_server fs_bpf:dir search;
 allow system_server fs_bpf:file { read write };
 allow system_server bpfloader:bpf { map_read map_write prog_run };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()

public/hal_health.te

@@ -28,7 +28,6 @@ allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
 allow hal_health_server self:capability2 wake_alarm;
 
 # Use bpf programs
-allow hal_health_server fs_bpf:dir search;
 allow hal_health_server fs_bpf_vendor:dir search;
 allow hal_health_server fs_bpf_vendor:file read;
 allow hal_health_server bpfloader:bpf prog_run;

public/netd.te

@@ -64,7 +64,6 @@ allow netd sysfs_usb:file write;
 
 r_dir_file(netd, cgroup_v2)
 
-allow netd fs_bpf:dir search;
 allow netd fs_bpf:file { read write };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related