Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ac0b2ee2fdcd93a0b0b553d113010a342c272c1e^1..ac0b2ee2fdcd93a0b0b553d113010a342c272c1e / .
commitac0b2ee2fdcd93a0b0b553d113010a342c272c1e[log] [tgz]
authorChenbo Feng <fengc@google.com>Thu Jan 24 10:56:06 2019 -0800
committerandroid-build-merger <android-build-merger@google.com>Thu Jan 24 10:56:06 2019 -0800
tree7c3debf92be78bba3e491ce16b349157afb69e30
parent4049c2d971af6edc395ede2d1c07e144225ac48e [diff]
parentb761636b9def1ef5a00fc9db3875958bc7160dd5 [diff]
Merge "Allow system_server to write to bpf maps"
am: b761636b9d

Change-Id: I61851a57daef4dbd774007e6b4e8de6376fb4d59

diff --git a/private/system_server.te b/private/system_server.te
index 30235e5..2dcab1e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -852,11 +852,15 @@
   allow system_server zygote_exec:file rx_file_perms;
 ')
 
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
 # the map after snapshot is recorded
 allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
 
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.