From 4bf478828f25850b9a9341a702e6e1d4f4b20660 Mon Sep 17 00:00:00 2001
From: Joel Fernandes <joelaf@google.com>
Date: Wed, 28 Nov 2018 11:06:49 -0800
Subject: [PATCH] Assign bpfloader with CAP_SYS_ADMIN

bpfloader needs to load bpf programs with tracepoints in them. The
tracepoint programs are not activated but are just loaded and pinned.
The kernel expects the process doing this to have CAP_SYS_ADMIN. Since
bpfloader was intended to be a 1-shot run and exit process with security
privileges, lets assign it CAP_SYS_ADMIN so that it is able to load the
tracepoint programs.

Bug: 112334572
Change-Id: Icf9b5d95615e69f5c28dc28f021b07f49710c97d
Signed-off-by: Joel Fernandes <joelaf@google.com>
---
 private/bpfloader.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index f8da1eba3..802fd516a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -14,7 +14,7 @@ allow bpfloader netd:fd use;
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
 
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
 
 ###
 ### Neverallow rules
-- 
GitLab