commit 83bfe14cb0edfbd002617eaf1256009825f1d2b5
author Maciej Żenczykowski <maze@google.com> Wed Jun 17 16:58:24 2020 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Jun 17 16:58:24 2020 +0000
tree ad7cc9e02b2a1a2365d2fced09a8ec3e56891256
parent c6684733b360e5b13d8a288859c703be88028284
parent ef76c5371963f6be4a65f4c52ab0b70d875d2510

grant bpfloader ability to fetch the fd of pinned bpf programs am: ef76c53719

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1339062

Change-Id: Ie3e633acab447a19a67a89546cf455f4b34bddbf

prebuilts/api/30.0/private/bpfloader.te

diff --git a/prebuilts/api/30.0/private/bpfloader.te b/prebuilts/api/30.0/private/bpfloader.te
index 249f3df..74a8e25 100644
--- a/prebuilts/api/30.0/private/bpfloader.te
+++ b/prebuilts/api/30.0/private/bpfloader.te
@@ -5,7 +5,7 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index b31fe18..7c88be2 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -5,7 +5,7 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };