On 2/6/20 11:55 AM, Steven Moreland wrote:
From: Connor O'Brien <connoro@xxxxxxxxxx> Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other.
Do you want bpf fs to also support userspace labeling of files via setxattr()? If so, you'll want to also add it to selinux_is_genfs_special_handling() as well.
The only caveat I would note here is that it appears that bpf fs supports rename, link, unlink, rmdir etc by userspace, which means that name-based labeling via genfscon isn't necessarily safe/stable. See
https://github.com/SELinuxProject/selinux-kernel/issues/2
Change-Id: I03ae28d3afea70acd6dc53ebf810b34b357b6eb5
Drop Change-Ids from patches submitted upstream please since they aren't meaningful outside of Android.
Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx> Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx> --- security/selinux/hooks.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index de4887742d7c..4f9396e6ce8c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -872,6 +872,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, !strcmp(sb->s_type->name, "sysfs") || !strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "binder") || + !strcmp(sb->s_type->name, "bpf") || !strcmp(sb->s_type->name, "cgroup") || !strcmp(sb->s_type->name, "cgroup2")) sbsec->flags |= SE_SBGENFS;