| Steven Moreland | 6598175 | 2022-02-10 00:32:44 +0000 | [diff] [blame] | 1 | # platform should have ownership of network attachpoints for BPF |
| 2 | neverallow { |
| 3 | bpfdomain |
| 4 | -bpfloader |
| 5 | -netd |
| 6 | -netutils_wrapper |
| 7 | -network_stack |
| 8 | -system_server |
| 9 | } self:global_capability_class_set { net_admin net_raw }; |
| 10 | |
| 11 | # any domain which uses bpf is a bpfdomain |
| 12 | neverallow { domain -bpfdomain } *:bpf *; |
| 13 | |
| Stephane Lee | b30e888 | 2022-03-21 17:31:14 -0700 | [diff] [blame] | 14 | allow bpfdomain fs_bpf:dir search; |
| Maciej Żenczykowski | d5098f9 | 2022-07-18 03:34:30 -0700 | [diff] [blame^] | 15 | |
| 16 | # genfscon doesn't seem to trigger during symlink creation, |
| 17 | # and thus any created symlinks end up as 'fs_bpf:lnk_type', |
| 18 | # however this feels like a kernel bug / missing feature, |
| 19 | # so let's allow all bpffs_type's instead, |
| 20 | # this will keep things working even if this is fixed. |
| 21 | allow bpfdomain bpffs_type:lnk_file read; |