Add search in bpf directory for bpfdomains
Bug: 203462310
Test: Ensure that associated BPFs can be loaded
Change-Id: I317a890abb518cf4ac47cd089e882315434342ce
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index f0888a7..2be7f88 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -11,3 +11,4 @@
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 35167d5..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -54,7 +54,6 @@
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
diff --git a/private/lmkd.te b/private/lmkd.te
index 13828a4..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index bcbbfcc..630183e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -65,6 +65,5 @@
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 06aadc2..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,6 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/system_server.te b/private/system_server.te
index 275bb6f..3e35b7e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1133,7 +1133,6 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
diff --git a/public/hal_health.te b/public/hal_health.te
index a31da4d..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -28,7 +28,6 @@
allow hal_health_server self:capability2 wake_alarm;
# Use bpf programs
-allow hal_health_server fs_bpf:dir search;
allow hal_health_server fs_bpf_vendor:dir search;
allow hal_health_server fs_bpf_vendor:file read;
allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/netd.te b/public/netd.te
index 899df88..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related