From 7bed5e4a7f631c5121567664dc0916530c959de6 Mon Sep 17 00:00:00 2001
Message-Id: <7bed5e4a7f631c5121567664dc0916530c959de6.1645093298.git.maciej.zenon.borzecki@canonical.com>
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Wed, 2 Feb 2022 13:15:04 +0100
Subject: [PATCH] data/selinux: update SELinux policy with more bpf allowances

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
 data/selinux/snappy.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 948280ae7d17430f1ad4ddd25e0d7379aae7f575..cae01cd2256500caa6b82a56b10ada0093400f03 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -605,6 +605,12 @@ allow snappy_confine_t self:capability { setgid setuid sys_admin sys_chroot dac_
 # device cgroup program, however those bits can only be built on a sufficiently
 # recent system
 ifndef(`no_bpf',`
+  # memlock rlimit may need to be temporarily incresed when loading a BPF program
+  allow snappy_confine_t self:capability { sys_resource };
+  allow snappy_confine_t self:process { setrlimit };
+  # doing BPF things
+  allow snappy_confine_t self:capability2 { bpf perfmon };
+  # specifically these operations
   allow snappy_confine_t self:bpf { map_create map_read map_write prog_load prog_run };
   # snap-confine creates /sys/fs/bpf/snap directory and pings BPF maps inside
   fs_manage_bpf_dirs(snappy_confine_t)
-- 
2.35.1