Could the following 1-liner be pulled into LTS please? It should easily - if not quite trivially - apply to 4.9/4.14/4.19/5.4 LTS trees.
of note: it's already long present in all Android Common Kernel 4.9+ trees, but the lack of it in LTS appears to cause a minor security/compatibility issue, since things can end up mislabelled.
commit 4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc [v5.6-rc1-10-g4ca54d3d3022] Author: Connor O'Brien connoro@google.com Date: Fri Feb 7 10:01:49 2020 -0800
security: selinux: allow per-file labeling for bpffs
Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other.
Signed-off-by: Connor O'Brien connoro@google.com Signed-off-by: Steven Moreland smoreland@google.com Acked-by: Stephen Smalley sds@tycho.nsa.gov Signed-off-by: Paul Moore paul@paul-moore.com
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7c37cdb3aba0..44f6f4e20cba 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "binderfs") || + !strcmp(sb->s_type->name, "bpf") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS;
Thank you.
Maciej Żenczykowski, Kernel Networking Developer @ Google