commit 52862a32c16d8088a82b4373724365c4c7da5143
author Stephane Lee <stayfan@google.com> Tue Mar 08 14:56:27 2022 -0800
committer Stephane Lee <stayfan@google.com> Mon Mar 21 12:54:49 2022 -0700
tree e25fe55aae279910af171c5c57661f09fbe7dc57
parent b93f26fd899ba19d77af9444c9f60e4a4478070d

Add sepolicies to allow hal_health_default to load BPFs.

Bug: 203462310
Test: Ensure that the BPF filter can be loaded
Change-Id: Ib507d4c1718dd56fb336501ed7598de7b44a687b

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7644cac..d7b27b5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -40,7 +40,17 @@
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
-neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow {
+  domain
+  -bpfloader
+  -gpuservice
+  -hal_health_server
+  -mediaprovider_app
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} *:bpf prog_run;
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };