sepolicy: allow netutils_wrapper access to fs_bpf_vendor This is needed to allow vendor xt_bpf programs. Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de

commit: 37ca69e5c834f09b5ff788baf3f08a35889f914f [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Sat Nov 18 03:36:05 2023 +0000
committer: Maciej Żenczykowski <maze@google.com> Sat Jan 20 23:56:37 2024 +0000
tree: ce1b5bf243d7b8a641b1492a745d8af879edd469
parent: 7a3d15416e4219e8af453a17ad8fe92d11e8bb59 [diff] [blame]
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te

@@ -25,9 +25,9 @@
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf                    }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf                                  }:file write;
 allow netutils_wrapper bpfloader:bpf prog_run;
 
 # For /data/misc/net access to ndc and ip
commit	37ca69e5c834f09b5ff788baf3f08a35889f914f	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Sat Nov 18 03:36:05 2023 +0000
committer	Maciej Żenczykowski <maze@google.com>	Sat Jan 20 23:56:37 2024 +0000
tree	ce1b5bf243d7b8a641b1492a745d8af879edd469
parent	7a3d15416e4219e8af453a17ad8fe92d11e8bb59 [diff] [blame]