| Steven Moreland | 6598175 | 2022-02-10 00:32:44 +0000 | [diff] [blame] | 1 | # platform should have ownership of network attachpoints for BPF |
| 2 | neverallow { | ||||
| 3 | bpfdomain | ||||
| 4 | -bpfloader | ||||
| 5 | -netd | ||||
| 6 | -netutils_wrapper | ||||
| 7 | -network_stack | ||||
| 8 | -system_server | ||||
| 9 | } self:global_capability_class_set { net_admin net_raw }; | ||||
| 10 | |||||
| 11 | # any domain which uses bpf is a bpfdomain | ||||
| 12 | neverallow { domain -bpfdomain } *:bpf *; | ||||
| 13 | |||||
| Stephane Lee | b30e888 | 2022-03-21 17:31:14 -0700 | [diff] [blame^] | 14 | allow bpfdomain fs_bpf:dir search; |