summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorConnor O'Brien <connoro@google.com>2020-02-07 19:01:49 +0100
committerPaul Moore <paul@paul-moore.com>2020-02-12 04:02:54 +0100
commit4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc (patch)
tree26460de2a33da6426901e6a38bbacaac8fd43d81 /security
parentselinux: generalize evaluate_cond_node() (diff)
downloadlinux-4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc.tar.xz
linux-4ca54d3d3022ce27170b50e4bdecc3a42f05dbdc.zip
security: selinux: allow per-file labeling for bpffs
Add support for genfscon per-file labeling of bpffs files. This allows for separate permissions for different pinned bpf objects, which may be completely unrelated to each other. Signed-off-by: Connor O'Brien <connoro@google.com> Signed-off-by: Steven Moreland <smoreland@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7c37cdb3aba0..44f6f4e20cba 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -702,6 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
if (!strcmp(sb->s_type->name, "debugfs") ||
!strcmp(sb->s_type->name, "tracefs") ||
!strcmp(sb->s_type->name, "binderfs") ||
+ !strcmp(sb->s_type->name, "bpf") ||
!strcmp(sb->s_type->name, "pstore"))
sbsec->flags |= SE_SBGENFS;