From: Connor O'Brien <connoro@xxxxxxxxxx> Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other. Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx> Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx> --- security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 116b4d644f68..d7b11188dc8d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -750,7 +750,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (strcmp(sb->s_type->name, "proc") == 0) sbsec->flags |= SE_SBPROC | SE_SBGENFS; - if (!strcmp(sb->s_type->name, "debugfs") || + if (!strcmp(sb->s_type->name, "bpf") || + !strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS; -- 2.25.0.341.g760bfbb309-goog v1 -> v2 - Rebased to be on upstream selinux tree - Removed Android specific 'Change-Id'
