grant bpfloader NET_ADMIN capability This is required for it to be able to create DEVMAP/DEVMAP_HASH maps. See kernel source code in kernel/bpf/devmap.c: static struct bpf_map *dev_map_alloc(union bpf_attr *attr) { ... if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM); Test: atest, TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I2fc5b1541133859857fc9baa7564965f240c842a

commit: 94c30686cffcc089efd7cbe738ffd9a5b3f4cb94 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Mon Mar 01 23:16:46 2021 -0800
committer: Maciej Żenczykowski <maze@google.com> Mon Mar 01 23:40:08 2021 -0800
tree: 3828d874b6e84d8c87b4f185622149c61514defc
parent: 286fa14bae6b4b23bfd23dc10fd2c21f1ca3d6aa [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f1932bb..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -11,7 +11,7 @@
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
 
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
 
 set_prop(bpfloader, bpf_progs_loaded_prop)
commit	94c30686cffcc089efd7cbe738ffd9a5b3f4cb94	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Mon Mar 01 23:16:46 2021 -0800
committer	Maciej Żenczykowski <maze@google.com>	Mon Mar 01 23:40:08 2021 -0800
tree	3828d874b6e84d8c87b4f185622149c61514defc
parent	286fa14bae6b4b23bfd23dc10fd2c21f1ca3d6aa [diff]