Backport relaxed bpf neverallow rule to 202404 CTS
See aosp/3001992 for the relaxed rules.
Bug: 346518893
Test: atest android.security.cts.SELinuxNeverallowRulesTestVendor
Change-Id: I34d384c95e599ae3c1f7ca93cc79efb269453402
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index e418549..7486c32 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -46100,24 +46100,12 @@
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
-neverallow {
- domain
- -bpfloader
- -gpuservice
- -hal_health_server
- -mediaprovider_app
- -netd
- -netutils_wrapper
- -network_stack
- -system_server
- -uprobestats
-} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;