init: add interface to run init bpf programs

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-10-11 15:36:00 -04:00 · 2021-10-11 15:36:00 -04:00 · 582f390f85
commit 582f390f85
parent c9eb093f2b
1 changed files with 19 additions and 0 deletions
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -1299,6 +1299,25 @@ interface(`init_dbus_chat',`
 	allow init_t $1:dbus send_msg;
 ')

+########################################
+## <summary>
+## 	Run init BPF programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_run_bpf',`
+	gen_require(`
+		type init_t;
+		class bpf prog_run;
+	')
+
+	allow $1 init_t:bpf prog_run;
+')
+
 ########################################
 ## <summary>
 ##      read/follow symlinks under /var/lib/systemd/