1# platform should have ownership of network attachpoints for BPF 2neverallow { 3 bpfdomain 4 -bpfloader 5 -netd 6 -netutils_wrapper 7 -network_stack 8 -system_server 9} self:global_capability_class_set { net_admin net_raw }; 10 11# any domain which uses bpf is a bpfdomain 12neverallow { domain -bpfdomain } *:bpf *; 13 14allow bpfdomain fs_bpf:dir search; 15