On Thu, Feb 6, 2020 at 9:35 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On 2/6/20 12:21 PM, Stephen Smalley wrote: > > On 2/6/20 11:55 AM, Steven Moreland wrote: > >> From: Connor O'Brien <connoro@xxxxxxxxxx> > >> > >> Add support for genfscon per-file labeling of bpffs files. This allows > >> for separate permissions for different pinned bpf objects, which may > >> be completely unrelated to each other. > > > > Do you want bpf fs to also support userspace labeling of files via > > setxattr()? If so, you'll want to also add it to > > selinux_is_genfs_special_handling() as well. > > Android doesn't currently have this use case. > > The only caveat I would note here is that it appears that bpf fs > > supports rename, link, unlink, rmdir etc by userspace, which means that > > name-based labeling via genfscon isn't necessarily safe/stable. See > > https://github.com/SELinuxProject/selinux-kernel/issues/2 > > Android restricts ownership of these files to a single process (bpfloader) and so this isn't a concern in our architecture. Is it a concern in general? > >> Change-Id: I03ae28d3afea70acd6dc53ebf810b34b357b6eb5 > > > > Drop Change-Ids from patches submitted upstream please since they aren't > > meaningful outside of Android. > > Yeah, will resubmit, thanks. > >> Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx> > >> Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx> > >> --- > >> security/selinux/hooks.c | 1 + > >> 1 file changed, 1 insertion(+) > >> > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >> index de4887742d7c..4f9396e6ce8c 100644 > >> --- a/security/selinux/hooks.c > >> +++ b/security/selinux/hooks.c > >> @@ -872,6 +872,7 @@ static int selinux_set_mnt_opts(struct super_block > >> *sb, > >> !strcmp(sb->s_type->name, "sysfs") || > >> !strcmp(sb->s_type->name, "pstore") || > >> !strcmp(sb->s_type->name, "binder") || > >> + !strcmp(sb->s_type->name, "bpf") || > >> !strcmp(sb->s_type->name, "cgroup") || > >> !strcmp(sb->s_type->name, "cgroup2")) > >> sbsec->flags |= SE_SBGENFS; > >> > > Also, your patch appears to be based on an old kernel and won't apply > upstream; see > https://github.com/SELinuxProject/selinux-kernel/blob/master/README.md > Will resubmit, thanks.
