Allow network_stack to update eBPF map Bug: 173167302 Test: m Change-Id: I7e7fcbcada905601cf08bf99fcdeb7e61c6effae

commit: 48c600fce14861b727d6c48236362fc57cbdb640 [log] [tgz]
author: markchien <markchien@google.com> Thu Nov 26 09:55:56 2020 +0800
committer: Maciej Żenczykowski <maze@google.com> Wed Dec 02 00:38:25 2020 +0000
tree: b4904fa15724e13e5c1a21bf39d837d3247a2b91
parent: 476ef10ed8925b08c5733dd66e899d1d35f4d7bc [diff] [blame]
diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a07..4768538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -1,5 +1,5 @@
 # Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
 
 app_domain(network_stack);
 net_domain(network_stack);
@@ -36,3 +36,7 @@
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack fs_bpf:dir search;
+allow network_stack fs_bpf:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
commit	48c600fce14861b727d6c48236362fc57cbdb640	[log] [tgz]
author	markchien <markchien@google.com>	Thu Nov 26 09:55:56 2020 +0800
committer	Maciej Żenczykowski <maze@google.com>	Wed Dec 02 00:38:25 2020 +0000
tree	b4904fa15724e13e5c1a21bf39d837d3247a2b91
parent	476ef10ed8925b08c5733dd66e899d1d35f4d7bc [diff] [blame]