1*e4a36f41SAndroid Build Coastguard Worker# platform should have ownership of network attachpoints for BPF 2*e4a36f41SAndroid Build Coastguard Workerneverallow { 3*e4a36f41SAndroid Build Coastguard Worker bpfdomain 4*e4a36f41SAndroid Build Coastguard Worker -bpfloader 5*e4a36f41SAndroid Build Coastguard Worker -netd 6*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 7*e4a36f41SAndroid Build Coastguard Worker -network_stack 8*e4a36f41SAndroid Build Coastguard Worker -system_server 9*e4a36f41SAndroid Build Coastguard Worker} self:global_capability_class_set { net_admin net_raw }; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# any domain which uses bpf is a bpfdomain 12*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfdomain } *:bpf *; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerallow bpfdomain fs_bpf:dir search; 15