9c6c988bad
Ignore-AOSP-First: UpsideDownCake Finalization Bug: 275409981 Test: build Change-Id: I15bf3817a8a6867d52f7963a04a69e543a9801e9 Merged-In: I15bf3817a8a6867d52f7963a04a69e543a9801e9
25 lines
806 B
Text
25 lines
806 B
Text
# platform should have ownership of network attachpoints for BPF
|
|
neverallow {
|
|
bpfdomain
|
|
-bpfloader
|
|
-netd
|
|
-netutils_wrapper
|
|
-network_stack
|
|
-system_server
|
|
} self:global_capability_class_set { net_admin net_raw };
|
|
|
|
# any domain which uses bpf is a bpfdomain
|
|
neverallow { domain -bpfdomain } *:bpf *;
|
|
|
|
allow bpfdomain fs_bpf:dir search;
|
|
|
|
# genfscon doesn't seem to trigger during symlink creation,
|
|
# and thus any created symlinks end up as 'fs_bpf:lnk_type',
|
|
# however this feels like a kernel bug / missing feature,
|
|
# so let's allow all bpffs_type's instead,
|
|
# this will keep things working even if this is fixed.
|
|
allow bpfdomain bpffs_type:lnk_file read;
|
|
|
|
# Needed for //frameworks/libs/net:
|
|
# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
|
|
get_prop(bpfdomain, bpf_progs_loaded_prop)
|