diff --git a/private/bpfdomain.te b/private/bpfdomain.te index f0888a7f0..2be7f8874 100644 --- a/private/bpfdomain.te +++ b/private/bpfdomain.te @@ -11,3 +11,4 @@ neverallow { # any domain which uses bpf is a bpfdomain neverallow { domain -bpfdomain } *:bpf *; +allow bpfdomain fs_bpf:dir search; diff --git a/private/gpuservice.te b/private/gpuservice.te index 35167d58a..76a237054 100644 --- a/private/gpuservice.te +++ b/private/gpuservice.te @@ -54,7 +54,6 @@ neverallow gpuservice self:perf_event ~{ cpu kernel open write }; # Needed for interact with bpf fs. # Write is needed to open read/write bpf maps. -allow gpuservice fs_bpf:dir search; allow gpuservice fs_bpf:file { read write }; # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). diff --git a/private/lmkd.te b/private/lmkd.te index 13828a4a0..51d620442 100644 --- a/private/lmkd.te +++ b/private/lmkd.te @@ -12,7 +12,6 @@ set_prop(lmkd, lmkd_prop) # Get persist.device_config.lmk_native.* properties. get_prop(lmkd, device_config_lmkd_native_prop) -allow lmkd fs_bpf:dir search; allow lmkd fs_bpf:file read; allow lmkd bpfloader:bpf map_read; diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te index bcbbfcc5f..630183e73 100644 --- a/private/mediaprovider_app.te +++ b/private/mediaprovider_app.te @@ -65,6 +65,5 @@ dontaudit mediaprovider_app sysfs_vendor_sched:dir search; dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms; # bpfprog access for FUSE BPF -allow mediaprovider_app fs_bpf:dir search; allow mediaprovider_app fs_bpf:file read; allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run }; diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te index 06aadc23a..af0360f20 100644 --- a/private/netutils_wrapper.te +++ b/private/netutils_wrapper.te @@ -25,7 +25,6 @@ binder_call(netutils_wrapper, netd); # For vendor code that update the iptables rules at runtime. They need to reload # the whole chain including the xt_bpf rules. They need to access to the pinned # program when reloading the rule. -allow netutils_wrapper fs_bpf:dir search; allow netutils_wrapper fs_bpf:file { read write }; allow netutils_wrapper bpfloader:bpf prog_run; diff --git a/private/system_server.te b/private/system_server.te index 275bb6f92..3e35b7e53 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1133,7 +1133,6 @@ with_asan(` # allow system_server to read the eBPF maps that stores the traffic stats information and update # the map after snapshot is recorded, and to read, update and run the maps and programs used for # time in state accounting -allow system_server fs_bpf:dir search; allow system_server fs_bpf:file { read write }; allow system_server bpfloader:bpf { map_read map_write prog_run }; # in order to invoke side effect of close() on such a socket calling synchronize_rcu() diff --git a/public/hal_health.te b/public/hal_health.te index a31da4d93..5d7aff5ba 100644 --- a/public/hal_health.te +++ b/public/hal_health.te @@ -28,7 +28,6 @@ allow hal_health_server kmsg_device:chr_file { getattr w_file_perms }; allow hal_health_server self:capability2 wake_alarm; # Use bpf programs -allow hal_health_server fs_bpf:dir search; allow hal_health_server fs_bpf_vendor:dir search; allow hal_health_server fs_bpf_vendor:file read; allow hal_health_server bpfloader:bpf prog_run; diff --git a/public/netd.te b/public/netd.te index 899df881d..64b4c7da5 100644 --- a/public/netd.te +++ b/public/netd.te @@ -64,7 +64,6 @@ allow netd sysfs_usb:file write; r_dir_file(netd, cgroup_v2) -allow netd fs_bpf:dir search; allow netd fs_bpf:file { read write }; # TODO: netd previously thought it needed these permissions to do WiFi related