selinux: bpfloader: add fs_bpf:dir read and open
Libbpf requires fs_bpf:dir read and open for pin creation, allow both of
these for bpfloader domain
Bug: 359646531
Bug: 380954451
Test: TH/Manual
Change-Id: Iaa756bde2759d64cb310f10b78dfcd028828f6b3
Signed-off-by: Neill Kapron <nkapron@google.com>
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 33d3783..4fe3843 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,7 +6,7 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader bpffs_type:dir { add_name create remove_name search setattr write };
+allow bpfloader bpffs_type:dir { add_name create open read remove_name search setattr write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
@@ -29,8 +29,8 @@
###
# Note: we don't care about getattr/mounton/search
-neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search setattr write };
-neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name setattr write };
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create open read remove_name setattr write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };