From: Connor O'Brien <connoro@google.com>
Date: Fri, 7 Feb 2020 18:01:49 +0000 (-0800)
Subject: security: selinux: allow per-file labeling for bpffs
X-Git-Tag: v5.7-rc1~153^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc;p=thirdparty%2Flinux.git

security: selinux: allow per-file labeling for bpffs

Add support for genfscon per-file labeling of bpffs files. This allows
for separate permissions for different pinned bpf objects, which may
be completely unrelated to each other.

Signed-off-by: Connor O'Brien <connoro@google.com>
Signed-off-by: Steven Moreland <smoreland@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7c37cdb3aba03..44f6f4e20cba3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	if (!strcmp(sb->s_type->name, "debugfs") ||
 	    !strcmp(sb->s_type->name, "tracefs") ||
 	    !strcmp(sb->s_type->name, "binderfs") ||
+	    !strcmp(sb->s_type->name, "bpf") ||
 	    !strcmp(sb->s_type->name, "pstore"))
 		sbsec->flags |= SE_SBGENFS;