On 2/6/20 12:21 PM, Stephen Smalley wrote:
On 2/6/20 11:55 AM, Steven Moreland wrote:
From: Connor O'Brien <connoro@xxxxxxxxxx>
Add support for genfscon per-file labeling of bpffs files. This allows
for separate permissions for different pinned bpf objects, which may
be completely unrelated to each other.
Do you want bpf fs to also support userspace labeling of files via
setxattr()? If so, you'll want to also add it to
selinux_is_genfs_special_handling() as well.
The only caveat I would note here is that it appears that bpf fs
supports rename, link, unlink, rmdir etc by userspace, which means that
name-based labeling via genfscon isn't necessarily safe/stable. See
https://github.com/SELinuxProject/selinux-kernel/issues/2
Change-Id: I03ae28d3afea70acd6dc53ebf810b34b357b6eb5
Drop Change-Ids from patches submitted upstream please since they aren't
meaningful outside of Android.
Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx>
Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx>
---
security/selinux/hooks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index de4887742d7c..4f9396e6ce8c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -872,6 +872,7 @@ static int selinux_set_mnt_opts(struct super_block
*sb,
!strcmp(sb->s_type->name, "sysfs") ||
!strcmp(sb->s_type->name, "pstore") ||
!strcmp(sb->s_type->name, "binder") ||
+ !strcmp(sb->s_type->name, "bpf") ||
!strcmp(sb->s_type->name, "cgroup") ||
!strcmp(sb->s_type->name, "cgroup2"))
sbsec->flags |= SE_SBGENFS;
Also, your patch appears to be based on an old kernel and won't apply
upstream; see
https://github.com/SELinuxProject/selinux-kernel/blob/master/README.md