| # platform should have ownership of network attachpoints for BPF | |
| neverallow { | |
| bpfdomain | |
| -bpfloader | |
| -netd | |
| -netutils_wrapper | |
| -network_stack | |
| -system_server | |
| } self:global_capability_class_set { net_admin net_raw }; | |
| # any domain which uses bpf is a bpfdomain | |
| neverallow { domain -bpfdomain } *:bpf *; | |
| allow bpfdomain fs_bpf:dir search; |