From 3228c2b9977743e1500a09f2267d1c3eb6769e20 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dac.override@gmail.com>
Date: Tue, 3 Sep 2019 18:53:15 +0200
Subject: [PATCH] domain: unconfined access to bpf

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/kernel/domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2d..a4c78af90 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -152,6 +152,9 @@ optional_policy(`
 # is handled in the interface as typeattribute cannot
 # be used on an attribute.
 
+# unconfined access to bpf
+allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
+
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
 allow unconfined_domain_type domain:rawip_socket node_bind;