grant bpfloader ability to fetch the fd of pinned bpf programs Fixes: W bpfloader: type=1400 audit(0.0:13): avc: denied { read } for name="prog_offload_schedcls_ingress_tether_rawip" dev="bpf" ino=12551 scontext=u:r:bpfloader:s0 tcontext=u:object_r:fs_bpf:s0 tclass=file permissive=0 Test: builds, atest, treehugger Bug: 150040815 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I3c7b116bc95d2534a3b72f2e3f19c4a2d8ee83f2

commit: ef76c5371963f6be4a65f4c52ab0b70d875d2510 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Tue Jun 16 21:50:44 2020 -0700
committer: Maciej Żenczykowski <maze@google.com> Tue Jun 16 21:55:57 2020 -0700
tree: ad7cc9e02b2a1a2365d2fced09a8ec3e56891256
parent: 03c94a8cc34b0f7fceb5099c4aa5b632d8a58d85 [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index b31fe18..7c88be2 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -5,7 +5,7 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
 
 # Allow bpfloader to create bpf maps and programs.
 allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
commit	ef76c5371963f6be4a65f4c52ab0b70d875d2510	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Tue Jun 16 21:50:44 2020 -0700
committer	Maciej Żenczykowski <maze@google.com>	Tue Jun 16 21:55:57 2020 -0700
tree	ad7cc9e02b2a1a2365d2fced09a8ec3e56891256
parent	03c94a8cc34b0f7fceb5099c4aa5b632d8a58d85 [diff]