# platform should have ownership of network attachpoints for BPF
neverallow {
  bpfdomain
  -bpfloader
  -netd
  -netutils_wrapper
  -network_stack
  -system_server
} self:global_capability_class_set { net_admin net_raw };

# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;

allow bpfdomain fs_bpf:dir search;

# genfscon doesn't seem to trigger during symlink creation,
# and thus any created symlinks end up as 'fs_bpf:lnk_type',
# however this feels like a kernel bug / missing feature,
# so let's allow all bpffs_type's instead,
# this will keep things working even if this is fixed.
allow bpfdomain bpffs_type:lnk_file read;

# Needed for //frameworks/libs/net:
# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
get_prop(bpfdomain, bpf_progs_loaded_prop)