]> git.ipfire.org Git - thirdparty/linux.git/commit
projects / thirdparty / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 27a7cef) | patch
selinux: add support for BPF token access control
authorEric Suen <ericsu@linux.microsoft.com>
Fri, 5 Dec 2025 02:42:59 +0000 (18:42 -0800)
committerPaul Moore <paul@paul-moore.com>
Tue, 13 Jan 2026 20:42:37 +0000 (15:42 -0500)
commit5473a722f782f79f96b4691400d681c01fcacc2f
tree143cab975e996a5a3744def77538a80e053d2455tree
parent27a7cef9c3646e36f56f48c0ad43df3b821ffc96commit | diff
selinux: add support for BPF token access control

BPF token support was introduced to allow a privileged process to delegate
limited BPF functionality—such as map creation and program loading—to
an unprivileged process:
  https://lore.kernel.org/linux-security-module/20231130185229.2688956-1-andrii@kernel.org/

This patch adds SELinux support for controlling BPF token access. With
this change, SELinux policies can now enforce constraints on BPF token
usage based on both the delegating (privileged) process and the recipient
(unprivileged) process.

Supported operations currently include:
  - map_create
  - prog_load

High-level workflow:
  1. An unprivileged process creates a VFS context via `fsopen()` and
     obtains a file descriptor.
  2. This descriptor is passed to a privileged process, which configures
     BPF token delegation options and mounts a BPF filesystem.
  3. SELinux records the `creator_sid` of the privileged process during
     mount setup.
  4. The unprivileged process then uses this BPF fs mount to create a
     token and attach it to subsequent BPF syscalls.
  5. During verification of `map_create` and `prog_load`, SELinux uses
     `creator_sid` and the current SID to check policy permissions via:
       avc_has_perm(creator_sid, current_sid, SECCLASS_BPF,
                    BPF__MAP_CREATE, NULL);

The implementation introduces two new permissions:
  - map_create_as
  - prog_load_as

At token creation time, SELinux verifies that the current process has the
appropriate `*_as` permission (depending on the `allowed_cmds` value in
the bpf_token) to act on behalf of the `creator_sid`.

Example SELinux policy:
  allow test_bpf_t self:bpf {
      map_create map_read map_write prog_load prog_run
      map_create_as prog_load_as
  };

Additionally, a new policy capability bpf_token_perms is added to ensure
backward compatibility. If disabled, previous behavior ((checks based on
current process SID)) is preserved.

Signed-off-by: Eric Suen <ericsu@linux.microsoft.com>
Tested-by: Daniel Durning <danieldurning.work@gmail.com>
Reviewed-by: Daniel Durning <danieldurning.work@gmail.com>
[PM: merge fuzz, subject tweaks, whitespace tweaks, line length tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c diff | blob | blame | history
security/selinux/include/classmap.h diff | blob | blame | history
security/selinux/include/objsec.h diff | blob | blame | history
security/selinux/include/policycap.h diff | blob | blame | history
security/selinux/include/policycap_names.h diff | blob | blame | history
security/selinux/include/security.h diff | blob | blame | history
A mirror of Linus' kernel repository