From aa0d31bad83cf8664e5b415b55022deaa0648552 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 2 Aug 2022 16:31:48 +0200
Subject: [PATCH] Add the userdom_prog_run_bpf_userdomain() interface

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/aa0d31bad83cf8664e5b415b55022deaa0648552
Conflict: NA

The userdom_prog_run_bpf_userdomain() interface was added
to allow the caller domain to run bpftool on the userdomain attribute.

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/system/userdomain.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index aeb2deb..e14a3c5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -6809,3 +6809,21 @@ template(`userdom_security_admin_template',`
 		samhain_run($1, $2)
 	')
 ')
+#
+########################################
+## <summary>
+##	Allow caller domain to run bpftool on userdomain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_prog_run_bpf_userdomain',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run };
+')
-- 
1.8.3.1