1# platform should have ownership of network attachpoints for BPF 2neverallow { 3 bpfdomain 4 -bpfloader 5 -netd 6 -netutils_wrapper 7 -network_stack 8 -system_server 9} self:global_capability_class_set { net_admin net_raw }; 10 11# any domain which uses bpf is a bpfdomain 12neverallow { domain -bpfdomain } *:bpf *; 13 14allow bpfdomain fs_bpf:dir search; 15 16# genfscon doesn't seem to trigger during symlink creation, 17# and thus any created symlinks end up as 'fs_bpf:lnk_type', 18# however this feels like a kernel bug / missing feature, 19# so let's allow all bpffs_type's instead, 20# this will keep things working even if this is fixed. 21allow bpfdomain bpffs_type:lnk_file read; 22 23# Needed for //frameworks/libs/net: 24# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h 25get_prop(bpfdomain, bpf_progs_loaded_prop) 26