grant bpfloader CAP_CHOWN so that it can change the uid/gid of pinned bpf progs and maps Test: build, atest Bug: 149434314 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I1d873c7799e1d9fa5d4bde145e89254dabb75a01

commit: 1189fac418d0deee1444533e2687894b9399bb2a [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Mon Jan 27 07:10:40 2020 -0800
committer: Maciej Żenczykowski <maze@google.com> Thu Feb 13 20:46:02 2020 +0000
tree: 5e399b927180337f7aeb7daec7fbc01eacaef376
parent: d9b78b4c8403845f61765b698a6e23688441199a [diff]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 34921e6..8271add 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -12,7 +12,7 @@
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
 
-allow bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:capability { chown sys_admin };
 
 ###
 ### Neverallow rules
commit	1189fac418d0deee1444533e2687894b9399bb2a	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Mon Jan 27 07:10:40 2020 -0800
committer	Maciej Żenczykowski <maze@google.com>	Thu Feb 13 20:46:02 2020 +0000
tree	5e399b927180337f7aeb7daec7fbc01eacaef376
parent	d9b78b4c8403845f61765b698a6e23688441199a [diff]