sepolicy: Allow mount cgroupv2 and bpf fs Some necessary sepolicy rule changes for init process to create directory, mount cgroupv2 module and mount bpf filesystem. Also allow netd to create and pin bpf object as files and read it back from file under the directory where bpf filesystem is mounted. Test: bpf maps show up under /sys/fs/bpf/ Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0

commit: 254ad0da3ac3709cbce81af2a6faeb23317afea3 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Tue Aug 01 18:06:18 2017 -0700
committer: Chenbo Feng <fengc@google.com> Tue Jan 02 11:52:33 2018 -0800
tree: 0ac9145f0e6d037b29da973b53aa200deee68e6b
parent: ff3b957e6373f06d038599ae5afc0ad9b4337bce [diff] [blame]
diff --git a/public/netd.te b/public/netd.te
index fa03dbd..ec18113 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -7,6 +7,7 @@
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 
 r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
 allow netd system_server:fd use;
 
 allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
+allow netd fs_bpf:dir  create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?
commit	254ad0da3ac3709cbce81af2a6faeb23317afea3	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Aug 01 18:06:18 2017 -0700
committer	Chenbo Feng <fengc@google.com>	Tue Jan 02 11:52:33 2018 -0800
tree	0ac9145f0e6d037b29da973b53aa200deee68e6b
parent	ff3b957e6373f06d038599ae5afc0ad9b4337bce [diff] [blame]