[refpolicy] [PATCH] add defintion of bpf class and systemd perms

[refpolicy] [PATCH] add defintion of bpf class and systemd perms

[Christian Göttsche]

---
 policy/flask/access_vectors   | 9 +++++++++
 policy/flask/security_classes | 2 ++
 policy/modules/system/init.te | 1 +
 3 files changed, 12 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 9c9db71bf..b213ce5b0 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1079,3 +1079,12 @@ inherits socket
 
 class smc_socket
 inherits socket
+
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 3ff1b72d2..2ae343060 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -190,4 +190,6 @@ class smc_socket
 
 class process2
 
+class bpf
+
 # FLASK
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 057c33e87..a48919b18 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -228,6 +228,7 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
 	allow init_t self:capability2 audit_read;
+	allow init_t self:bpf { map_create map_read map_write };
 
 	# for /run/systemd/inaccessible/{chr,blk}
 	allow init_t init_var_run_t:blk_file { create getattr };
-- 
2.16.2