container: allow super privileged containers to manage BPF dirs

Seen on a recent update to Cilium.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 19 insertions, 1 deletions

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index ae022b6c0..6fae5d991 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -734,6 +734,24 @@ interface(`fs_create_bpf_dirs',`
 
 ########################################
 ## <summary>
+##	Manage bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	manage_dirs_pattern($1, bpf_t, bpf_t)
+')
+
+########################################
+## <summary>
 ##	Manage bpf files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 864fae707..66b16e4e4 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1041,7 +1041,7 @@ fs_mounton_cgroup(spc_t)
 fs_manage_cgroup_dirs(spc_t)
 fs_manage_cgroup_files(spc_t)
 fs_mount_bpf(spc_t)
-fs_create_bpf_dirs(spc_t)
+fs_manage_bpf_dirs(spc_t)
 fs_manage_bpf_files(spc_t)
 fs_manage_bpf_symlinks(spc_t)
 fs_mounton_fusefs(spc_t)