Merge "bpfloader - relax neverallows for map_read/write/prog_run" into main

commit: ced9b5c164c58ee2076b17f7078a09a90f454292 [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Wed Mar 13 07:24:39 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 13 07:24:39 2024 +0000
tree: 83e7eb4be2cd0790420cdb05ee4e5aa361183afc
parent: c35639d6159a552703f260bf47b157344061adf2 [diff]
parent: f83e395a4af513017c9dbaadb0ea91c0edf09ae4 [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index be6f77c..87fed1a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -48,24 +48,12 @@
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
 
 # 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
 neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
 neverallow { domain -bpfloader } fs_bpf_loader:file *;
 
-neverallow {
-  domain
-  -bpfloader
-  -gpuservice
-  -hal_health_server
-  -mediaprovider_app
-  -netd
-  -netutils_wrapper
-  -network_stack
-  -system_server
-  -uprobestats
-} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
 neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
commit	ced9b5c164c58ee2076b17f7078a09a90f454292	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Wed Mar 13 07:24:39 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Mar 13 07:24:39 2024 +0000
tree	83e7eb4be2cd0790420cdb05ee4e5aa361183afc
parent	c35639d6159a552703f260bf47b157344061adf2 [diff]
parent	f83e395a4af513017c9dbaadb0ea91c0edf09ae4 [diff]