| Message ID | 20200207180148.235161-1-smoreland@google.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v3] security: selinux: allow per-file labeling for bpffs | expand |
On 2/7/20 1:01 PM, Steven Moreland wrote: > From: Connor O'Brien <connoro@google.com> > > Add support for genfscon per-file labeling of bpffs files. This allows > for separate permissions for different pinned bpf objects, which may > be completely unrelated to each other. > > Signed-off-by: Connor O'Brien <connoro@google.com> > Signed-off-by: Steven Moreland <smoreland@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index d9e8b2131a65..18f8cd47729c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -699,6 +699,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, > if (!strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > !strcmp(sb->s_type->name, "binderfs") || > + !strcmp(sb->s_type->name, "bpf") || > !strcmp(sb->s_type->name, "pstore")) > sbsec->flags |= SE_SBGENFS; > >
On Fri, Feb 7, 2020 at 1:02 PM Steven Moreland <smoreland@google.com> wrote: > > From: Connor O'Brien <connoro@google.com> > > Add support for genfscon per-file labeling of bpffs files. This allows > for separate permissions for different pinned bpf objects, which may > be completely unrelated to each other. > > Signed-off-by: Connor O'Brien <connoro@google.com> > Signed-off-by: Steven Moreland <smoreland@google.com> > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) Merged into selinux/next, thanks.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9e8b2131a65..18f8cd47729c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -699,6 +699,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "binderfs") || + !strcmp(sb->s_type->name, "bpf") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS;