@@ -33,7 +33,7 @@ allow_map(test_binder_bpf_provider_t, device_t, chr_file)
allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
# For testing BPF map fd transfer:
allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_binder_bpf_provider_t self:capability { sys_resource };
+allow test_binder_bpf_provider_t self:capability { sys_resource sys_admin };
allow test_binder_bpf_provider_t self:process { setrlimit };
#
@@ -12,7 +12,7 @@ typeattribute test_bpf_t testdomain;
typeattribute test_bpf_t bpfdomain;
allow test_bpf_t self:process { setrlimit };
-allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:capability { sys_resource sys_admin };
allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
############################## Deny map_create #############################
@@ -23,7 +23,7 @@ typeattribute test_bpf_deny_map_create_t testdomain;
typeattribute test_bpf_deny_map_create_t bpfdomain;
allow test_bpf_deny_map_create_t self:process { setrlimit };
-allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
############################## Deny map_read ##############################
@@ -34,7 +34,7 @@ typeattribute test_bpf_deny_map_read_t testdomain;
typeattribute test_bpf_deny_map_read_t bpfdomain;
allow test_bpf_deny_map_read_t self:process { setrlimit };
-allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
############################## Deny map_write ##############################
@@ -45,7 +45,7 @@ typeattribute test_bpf_deny_map_write_t testdomain;
typeattribute test_bpf_deny_map_write_t bpfdomain;
allow test_bpf_deny_map_write_t self:process { setrlimit };
-allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
############################## Deny prog_load ##############################
@@ -56,7 +56,7 @@ typeattribute test_bpf_deny_prog_load_t testdomain;
typeattribute test_bpf_deny_prog_load_t bpfdomain;
allow test_bpf_deny_prog_load_t self:process { setrlimit };
-allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
############################## Deny prog_run ###############################
@@ -67,7 +67,7 @@ typeattribute test_bpf_deny_prog_run_t testdomain;
typeattribute test_bpf_deny_prog_run_t bpfdomain;
allow test_bpf_deny_prog_run_t self:process { setrlimit };
-allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
#
@@ -15,7 +15,7 @@ allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_fdreceive_bpf_client_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client_t self:capability { sys_resource sys_admin };
allow test_fdreceive_bpf_client_t self:process { setrlimit };
# Server side rules:
allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
@@ -33,7 +33,7 @@ allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
-allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client2_t self:capability { sys_resource sys_admin };
allow test_fdreceive_bpf_client2_t self:process { setrlimit };
# Server side rules:
allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };
@@ -49,7 +49,7 @@ allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
-allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client3_t self:capability { sys_resource sys_admin };
allow test_fdreceive_bpf_client3_t self:process { setrlimit };
# Server side rules:
allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };