Could the following 1-liner be pulled into LTS please?
It should easily - if not quite trivially - apply to 4.9/4.14/4.19/5.4
LTS trees.
of note: it's already long present in all Android Common Kernel 4.9+ trees,
but the lack of it in LTS appears to cause a minor security/compatibility issue,
since things can end up mislabelled.
commit 4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc [v5.6-rc1-10-g4ca54d3d3022]
Author: Connor O'Brien <connoro@xxxxxxxxxx>
Date: Fri Feb 7 10:01:49 2020 -0800
security: selinux: allow per-file labeling for bpffs
Add support for genfscon per-file labeling of bpffs files. This allows
for separate permissions for different pinned bpf objects, which may
be completely unrelated to each other.
Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx>
Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7c37cdb3aba0..44f6f4e20cba 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
if (!strcmp(sb->s_type->name, "debugfs") ||
!strcmp(sb->s_type->name, "tracefs") ||
!strcmp(sb->s_type->name, "binderfs") ||
+ !strcmp(sb->s_type->name, "bpf") ||
!strcmp(sb->s_type->name, "pstore"))
sbsec->flags |= SE_SBGENFS;
Thank you.
Maciej Żenczykowski, Kernel Networking Developer @ Google
