From 756dd574d5ca4b936fd1acce3bbd9c1b65b00f5e Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Tue, 21 Nov 2017 10:53:01 -0800
Subject: [PATCH] sepolicy: Allow system server to r/w the bpf maps

The system server is responsible for providing the network traffic
stats to Apps and services. Allow it to directly reading the eBPF maps
that stored these information can make the process of getting traffic
stats simplier.

Test: No selinux rule violation of system server reading netd bpf object
Bug: 30950746
Change-Id: I6d9438d1ed7c9bab45a708f5d2a85eb22f5e8170
---
 private/system_server.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index eff8e8f31..df241047d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -725,6 +725,11 @@ with_asan(`
   allow system_server zygote_exec:file rx_file_perms;
 ')
 
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:file write;
+allow system_server netd:bpf { map_read map_write };
+
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
-- 
GitLab