Merge "Allow system_server to write to bpf maps" am: b761636b9d am: ac0b2ee2fd am: 096a2d3018 Change-Id: I2de8c56981abdc3795b03e6588cbc60a28db37c0

commit: 6e6b8b5fa96656435603c20c0d07a43e6ffd6e7f [log] [tgz]
author: Chenbo Feng <fengc@google.com> Thu Jan 24 11:58:10 2019 -0800
committer: android-build-merger <android-build-merger@google.com> Thu Jan 24 11:58:10 2019 -0800
tree: 33d7cbe08e3f6be5eda4b56de00ea0874610969a
parent: 189d8fbbe09662fe8d208d2fa00bdc22e3f18d8c [diff]
parent: 096a2d3018a40ca8723d323abe612f60c7580297 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index 2162ee6..0caf176 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -847,11 +847,15 @@
   allow system_server zygote_exec:file rx_file_perms;
 ')
 
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
 # the map after snapshot is recorded
 allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
 
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.
commit	6e6b8b5fa96656435603c20c0d07a43e6ffd6e7f	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Thu Jan 24 11:58:10 2019 -0800
committer	android-build-merger <android-build-merger@google.com>	Thu Jan 24 11:58:10 2019 -0800
tree	33d7cbe08e3f6be5eda4b56de00ea0874610969a
parent	189d8fbbe09662fe8d208d2fa00bdc22e3f18d8c [diff]
parent	096a2d3018a40ca8723d323abe612f60c7580297 [diff]