Could the following 1-liner be pulled into LTS please? It should easily - if not quite trivially - apply to 4.9/4.14/4.19/5.4 LTS trees.
of note: it's already long present in all Android Common Kernel 4.9+ trees, but the lack of it in LTS appears to cause a minor security/compatibility issue, since things can end up mislabelled.
commit 4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc [v5.6-rc1-10-g4ca54d3d3022] Author: Connor O'Brien connoro@google.com Date: Fri Feb 7 10:01:49 2020 -0800
security: selinux: allow per-file labeling for bpffs
Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other.
Signed-off-by: Connor O'Brien connoro@google.com Signed-off-by: Steven Moreland smoreland@google.com Acked-by: Stephen Smalley sds@tycho.nsa.gov Signed-off-by: Paul Moore paul@paul-moore.com
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7c37cdb3aba0..44f6f4e20cba 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "binderfs") || + !strcmp(sb->s_type->name, "bpf") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS;
Thank you.
Maciej Żenczykowski, Kernel Networking Developer @ Google
On Sun, Jul 24, 2022 at 01:49:42AM -0700, Maciej Żenczykowski wrote:
Could the following 1-liner be pulled into LTS please? It should easily - if not quite trivially - apply to 4.9/4.14/4.19/5.4 LTS trees.
As it does not cleanly apply, can you provide a working backport so that we know it is the correct placement of this if statement addition, as it seems not to be the same in all of the stable trees.
And bpffs is in all of these old kernel releases, right?
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Maciej Żenczykowski