From f33bc79e172068ca4cb47281b8fcfc9f47840b61 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Mon, 22 May 2023 14:30:26 +0200 Subject: [PATCH] Allow kernel to manage its own BPF objects Kernel threads may end up calling __sys_bpf(), which does the usual BPF access checks, so make sure kernel_t is allowed to at least operate on its own BPF fds. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186595 Signed-off-by: Ondrej Mosnacek --- policy/modules/kernel/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b86852812b..e0fcd2dff9 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -271,6 +271,7 @@ allow kernel_t self:unix_stream_socket connectto; allow kernel_t self:fifo_file rw_fifo_file_perms; allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; +allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run }; allow kernel_t debugfs_t:dir search_dir_perms;