Fix sepolicy for bpf object am: bfa95fcd

am: 585b3bcf Change-Id: I214e9ab30d322398757761da46879ab3685f5fdb

Fix sepolicy for bpf object am: bfa95fcd
am: 585b3bcf Change-Id: I214e9ab30d322398757761da46879ab3685f5fdb
cbaad76d · Chenbo Feng · android-build-merger · a6b8414b · 585b3bcf · cbaad76d
Commit cbaad76d authored 7 years ago by Chenbo Feng Committed by android-build-merger 7 years ago
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
+allow bpfloader netd:fd use;
-dontaudit bpfloader netd:fd use;
 # Use pinned bpf map files from netd.
 allow bpfloader netd:bpf { map_read map_write };

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -749,8 +749,8 @@ with_asan(`
 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
 # the map after snapshot is recorded
-allow system_server fs_bpf:file write;
+allow system_server fs_bpf:file read;
-allow system_server netd:bpf { map_read map_write };
+allow system_server netd:bpf map_read;
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.