d5098f99a9
(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering for InProcessTethering, ie. Android Go devices) Bug: 190523685 Bug: 236925089 Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070
21 lines
665 B
Text
21 lines
665 B
Text
# platform should have ownership of network attachpoints for BPF
|
|
neverallow {
|
|
bpfdomain
|
|
-bpfloader
|
|
-netd
|
|
-netutils_wrapper
|
|
-network_stack
|
|
-system_server
|
|
} self:global_capability_class_set { net_admin net_raw };
|
|
|
|
# any domain which uses bpf is a bpfdomain
|
|
neverallow { domain -bpfdomain } *:bpf *;
|
|
|
|
allow bpfdomain fs_bpf:dir search;
|
|
|
|
# genfscon doesn't seem to trigger during symlink creation,
|
|
# and thus any created symlinks end up as 'fs_bpf:lnk_type',
|
|
# however this feels like a kernel bug / missing feature,
|
|
# so let's allow all bpffs_type's instead,
|
|
# this will keep things working even if this is fixed.
|
|
allow bpfdomain bpffs_type:lnk_file read;
|