Allow system_server to write to bpf maps
The bpf maps for per uid stats need to be regularly cleaned now to
optimize the memory usage and performance. It can only done by
system_server since it is the process that scrapes and read the stats.
So allow it to write to maps to clean the stats. This change also
allows the system server to create PF_KEY sockets since we need a
reliable way to force synchronize the rcu on devices with 4.9 kernel.
Test: CtsUsageStatsTestCases
Bug: 79171384
Change-Id: I6564a56a5906a958f7d8e1d290b85de3f6fa121d
diff --git a/private/system_server.te b/private/system_server.te
index 30235e5..2dcab1e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -852,11 +852,15 @@
allow system_server zygote_exec:file rx_file_perms;
')
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.