sepolicy: New sepolicy classes and rules about bpf object Add the new classes for eBPF map and program to limit the access to eBPF object. Add corresponding rules to allow netd module initialize bpf programs and maps, use the program and read/wirte to eBPF maps. Test: no bpf sepolicy violations when device boot Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd

commit: 08f92f9c01fc5b86d620024573c46ff9e6ec173b [log] [tgz]
author: Chenbo Feng <fengc@google.com> Tue Aug 22 18:33:46 2017 -0700
committer: Chenbo Feng <fengc@google.com> Tue Jan 02 11:52:33 2018 -0800
tree: 157d64c44cf6a3cf535e70220b065db6af3ca51f
parent: 254ad0da3ac3709cbce81af2a6faeb23317afea3 [diff] [blame]
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes

@@ -35,6 +35,7 @@
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
+class bpf
 
 # sysv-ipc-related classes
 class sem
commit	08f92f9c01fc5b86d620024573c46ff9e6ec173b	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Aug 22 18:33:46 2017 -0700
committer	Chenbo Feng <fengc@google.com>	Tue Jan 02 11:52:33 2018 -0800
tree	157d64c44cf6a3cf535e70220b065db6af3ca51f
parent	254ad0da3ac3709cbce81af2a6faeb23317afea3 [diff] [blame]