Assign bpfloader with CAP_SYS_ADMIN

bpfloader needs to load bpf programs with tracepoints in them. The tracepoint programs are not activated but are just loaded and pinned. The kernel expects the process doing this to have CAP_SYS_ADMIN. Since bpfloader was intended to be a 1-shot run and exit process with security privileges, lets assign it CAP_SYS_ADMIN so that it is able to load the tracepoint programs. Bug: 112334572 Change-Id: Icf9b5d95615e69f5c28dc28f021b07f49710c97d Signed-off-by: Joel Fernandes <joelaf@google.com>

Assign bpfloader with CAP_SYS_ADMIN
bpfloader needs to load bpf programs with tracepoints in them. The tracepoint programs are not activated but are just loaded and pinned. The kernel expects the process doing this to have CAP_SYS_ADMIN. Since bpfloader was intended to be a 1-shot run and exit process with security privileges, lets assign it CAP_SYS_ADMIN so that it is able to load the tracepoint programs. Bug: 112334572 Change-Id: Icf9b5d95615e69f5c28dc28f021b07f49710c97d Signed-off-by: Joel Fernandes <joelaf@google.com>
4bf47882 · Joel Fernandes · cb691fbc · 4bf47882
Commit 4bf47882 authored 6 years ago by Joel Fernandes
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -14,7 +14,7 @@ allow bpfloader netd:fd use;
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
 ###
 ### Neverallow rules