Fix sepolicy for bpf object am: bfa95fcd am: 585b3bcf

am: cbaad76d Change-Id: I62c082e6691544cea974a80d5f56164d44c4e496

Fix sepolicy for bpf object am: bfa95fcd am: 585b3bcf
am: cbaad76d Change-Id: I62c082e6691544cea974a80d5f56164d44c4e496
5f4de67d · Chenbo Feng · android-build-merger · daf1cdfa · cbaad76d · 5f4de67d
Commit 5f4de67d authored 7 years ago by Chenbo Feng Committed by android-build-merger 7 years ago
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
+allow bpfloader netd:fd use;
-dontaudit bpfloader netd:fd use;
 # Use pinned bpf map files from netd.
 allow bpfloader netd:bpf { map_read map_write };

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -749,8 +749,8 @@ with_asan(`
 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
 # the map after snapshot is recorded
-allow system_server fs_bpf:file write;
+allow system_server fs_bpf:file read;
-allow system_server netd:bpf { map_read map_write };
+allow system_server netd:bpf map_read;
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.