From 7bed5e4a7f631c5121567664dc0916530c959de6 Mon Sep 17 00:00:00 2001
Message-Id: <7bed5e4a7f631c5121567664dc0916530c959de6.1645093298.git.maciej.zenon.borzecki@canonical.com>
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Wed, 2 Feb 2022 13:15:04 +0100
Subject: [PATCH] data/selinux: update SELinux policy with more bpf allowances
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
data/selinux/snappy.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
index 948280ae7d17430f1ad4ddd25e0d7379aae7f575..cae01cd2256500caa6b82a56b10ada0093400f03 100644
--- a/data/selinux/snappy.te
+++ b/data/selinux/snappy.te
@@ -605,6 +605,12 @@ allow snappy_confine_t self:capability { setgid setuid sys_admin sys_chroot dac_
# device cgroup program, however those bits can only be built on a sufficiently
# recent system
ifndef(`no_bpf',`
+ # memlock rlimit may need to be temporarily incresed when loading a BPF program
+ allow snappy_confine_t self:capability { sys_resource };
+ allow snappy_confine_t self:process { setrlimit };
+ # doing BPF things
+ allow snappy_confine_t self:capability2 { bpf perfmon };
+ # specifically these operations
allow snappy_confine_t self:bpf { map_create map_read map_write prog_load prog_run };
# snap-confine creates /sys/fs/bpf/snap directory and pings BPF maps inside
fs_manage_bpf_dirs(snappy_confine_t)
--
2.35.1