1*e4a36f41SAndroid Build Coastguard Worker# platform should have ownership of network attachpoints for BPF 2*e4a36f41SAndroid Build Coastguard Workerneverallow { 3*e4a36f41SAndroid Build Coastguard Worker bpfdomain 4*e4a36f41SAndroid Build Coastguard Worker -bpfloader 5*e4a36f41SAndroid Build Coastguard Worker -netd 6*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 7*e4a36f41SAndroid Build Coastguard Worker -network_stack 8*e4a36f41SAndroid Build Coastguard Worker -system_server 9*e4a36f41SAndroid Build Coastguard Worker} self:global_capability_class_set { net_admin net_raw }; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# any domain which uses bpf is a bpfdomain 12*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bpfdomain } *:bpf *; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerallow bpfdomain fs_bpf:dir search; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# genfscon doesn't seem to trigger during symlink creation, 17*e4a36f41SAndroid Build Coastguard Worker# and thus any created symlinks end up as 'fs_bpf:lnk_type', 18*e4a36f41SAndroid Build Coastguard Worker# however this feels like a kernel bug / missing feature, 19*e4a36f41SAndroid Build Coastguard Worker# so let's allow all bpffs_type's instead, 20*e4a36f41SAndroid Build Coastguard Worker# this will keep things working even if this is fixed. 21*e4a36f41SAndroid Build Coastguard Workerallow bpfdomain bpffs_type:lnk_file read; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Needed for //frameworks/libs/net: 24*e4a36f41SAndroid Build Coastguard Worker# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h 25*e4a36f41SAndroid Build Coastguard Workerget_prop(bpfdomain, bpf_progs_loaded_prop) 26