Re: [BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

[Vitaly Chikunov <vt@altlinux.org>]

Paul,

On Mon, May 11, 2026 at 04:19:34PM -0400, Paul Moore wrote:
> On Sun, May 10, 2026 at 5:17 PM Vitaly Chikunov <vt@altlinux.org> wrote:
> >
> > Hi,
> >
> > We have boot failure when CONFIG_LSM has "bpf" listed before "selinux"
> > (without bpf lsm scripts loaded). (This also happens with a boot with
> > "security=selinux" if selinux was not in LSM= list but bpf is.)
> >
> > systemd reports on the failing boot attempt:
> >
> >   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/shm: Invalid argument
> >   Mounting tmpfs to /dev/shm of type tmpfs with options mode=01777.
> >   Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777")...
> >   Failed to mount tmpfs (type tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777"): No such file or directory
> >   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/pts: Invalid argument
> >   Mounting devpts to /dev/pts of type devpts with options mode=0620,gid=5.
> >   Mounting devpts (devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5")...
> >   Failed to mount devpts (type devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5"): No such file or directory
> >   No filesystem is currently mounted on /sys/fs/cgroup.
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/cgroup: Invalid argument
> >   Mounting cgroup2 to /sys/fs/cgroup of type cgroup2 with options nsdelegate,memory_recursiveprot.
> >   Mounting cgroup2 (cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot")...
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/pstore: Invalid argument
> >   Mounting pstore to /sys/fs/pstore of type pstore with options n/a.
> >   Mounting pstore (pstore) on /sys/fs/pstore (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/bpf: Invalid argument
> >   Mounting bpf to /sys/fs/bpf of type bpf with options mode=0700.
> >   Mounting bpf (bpf) on /sys/fs/bpf (MS_NOSUID|MS_NODEV|MS_NOEXEC "mode=0700")...
> >   [!!!!!!] Failed to mount API filesystems.
> >   Freezing execution
> >
> > 'Invalid arguments' seems from setfscreatecon_raw.
> >
> > Reproducer:
> >
> >   Boot with lsm=lockdown,capability,landlock,yama,safesetid,bpf,selinux,ima,evm
> >
> >   (none):~# cat /proc/thread-self/attr/current
> >   cat: /proc/thread-self/attr/current: Invalid argument
> >   (none):~# echo > /proc/thread-self/attr/fscreate
> >   bash: echo: write error: Invalid argument
> >
> > This appears to be caused by security_getprocattr / security_setprocattr
> > iterating until the first hook defined (which is bpf) and returning with
> > default value -EINVAL before selinux even sees them.
> 
> Thanks for the problem report, the general recommendation is to place
> the BPF LSM towards the end of the list (see the CONFIG_LSM Kconfig
> help text), but we're trying to ensure that the BPF LSM works properly
> when placed anywhere in that list.

I think if the order is important it should be handled in the code like
for capabilities and ima/evm LSMs, not by forcing the user to discover
the correct order with trial and error.

> 
> My apologies if you're abilities are well beyond this, but if you are
> familiar with patching and building your own kernel, have you tried
> changing the LSM_RET_DEFAULT value for those functions to zero/0?
> Assuming userspace is happy with that, I believe it may solve this
> problem.

I can patch and test if this is useful to find the correct solution, but
the description is a bit vague. Did you mean

  include/linux/lsm_hook_defs.h:301:LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name,
  include/linux/lsm_hook_defs.h:303:LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)

In these lines to replace -EINVAL with 0?

I would never try this on my own, because it looks like -EINVAL is a
meaningful value, and I would never claim to understand all the
intricacies of LSMs.

  3892 int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
  3893 {
  3894         struct lsm_static_call *scall;
  3895
  3896         lsm_for_each_hook(scall, setprocattr) {
  3897                 if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
  3898                         continue;
  3899                 return scall->hl->hook.setprocattr(name, value, size);
  3900         }
  3901         return LSM_RET_DEFAULT(setprocattr);
  3902 }

If my first hypothesis is correct, and the lsm_for_each_hook goes into
bpf before selinux, setting the default to 0 will make selinux hook
unreachable.

With all this, I conclude that I perhaps misunderstood your request.

Thanks,

> 
> -- 
> paul-moore.com