Allow netutils_wrapper to use pinned bpf program
The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.
Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 9a5697e..f56e8d8 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -18,6 +18,13 @@
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
# For /data/misc/net access to ndc and ip
r_dir_file(netutils_wrapper, net_data_file)