Could the following 1-liner be pulled into LTS please? It should easily - if not quite trivially - apply to 4.9/4.14/4.19/5.4 LTS trees. of note: it's already long present in all Android Common Kernel 4.9+ trees, but the lack of it in LTS appears to cause a minor security/compatibility issue, since things can end up mislabelled. commit 4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc [v5.6-rc1-10-g4ca54d3d3022] Author: Connor O'Brien <connoro@xxxxxxxxxx> Date: Fri Feb 7 10:01:49 2020 -0800 security: selinux: allow per-file labeling for bpffs Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other. Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx> Signed-off-by: Steven Moreland <smoreland@xxxxxxxxxx> Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7c37cdb3aba0..44f6f4e20cba 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "binderfs") || + !strcmp(sb->s_type->name, "bpf") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS; Thank you. Maciej Żenczykowski, Kernel Networking Developer @ Google