domain: unconfined access to bpf

Signed-off-by: Dominick Grift <dac.override@gmail.com>
This commit is contained in:
Dominick Grift 2019-09-03 18:53:15 +02:00 committed by Chris PeBenito
parent 6b11dcef89
commit 3228c2b997

View File

@ -152,6 +152,9 @@ optional_policy(`
# is handled in the interface as typeattribute cannot
# be used on an attribute.
# unconfined access to bpf
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
allow unconfined_domain_type domain:rawip_socket node_bind;