From: Eric Suen <ericsu@linux.microsoft.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: selinux@vger.kernel.org, paul@paul-moore.com,
omosnace@redhat.com, danieldurning.work@gmail.com
Subject: Re: [PATCH v4] SELinux: Add support for BPF token access control
Date: Wed, 8 Oct 2025 15:20:27 -0700 [thread overview]
Message-ID: <fe6f4419-06be-4169-b694-b2ba26c7f141@linux.microsoft.com> (raw)
In-Reply-To: <CAEjxPJ4XyNmyXB5w+8a78fkQDMwF+DHP1efEJhXZPTsSABEAuQ@mail.gmail.com>
On 10/6/2025 12:11 PM, Stephen Smalley wrote:
> On Mon, Oct 6, 2025 at 3:00 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
>> On Mon, Oct 6, 2025 at 1:22 PM Eric Suen <ericsu@linux.microsoft.com> wrote:
>>> BPF token support was introduced to allow a privileged process to delegate
>>> limited BPF functionality—such as map creation and program loading—to
>>> an unprivileged process:
>>> https://lore.kernel.org/linux-security-module/20231130185229.2688956-1-andrii@kernel.org/
>>>
>>> This patch adds SELinux support for controlling BPF token access. With
>>> this change, SELinux policies can now enforce constraints on BPF token
>>> usage based on both the delegating (privileged) process and the recipient
>>> (unprivileged) process.
>>>
>>> Supported operations currently include:
>>> - map_create
>>> - prog_load
>>>
>>> High-level workflow:
>>> 1. An unprivileged process creates a VFS context via `fsopen()` and
>>> obtains a file descriptor.
>>> 2. This descriptor is passed to a privileged process, which configures
>>> BPF token delegation options and mounts a BPF filesystem.
>>> 3. SELinux records the `creator_sid` of the privileged process during
>>> mount setup.
>>> 4. The unprivileged process then uses this BPF fs mount to create a
>>> token and attach it to subsequent BPF syscalls.
>>> 5. During verification of `map_create` and `prog_load`, SELinux uses
>>> `creator_sid` and the current SID to check policy permissions via:
>>> avc_has_perm(creator_sid, current_sid, SECCLASS_BPF,
>>> BPF__MAP_CREATE, NULL);
>>>
>>> The implementation introduces two new permissions:
>>> - map_create_as
>>> - prog_load_as
>>>
>>> At token creation time, SELinux verifies that the current process has the
>>> appropriate `*_as` permission (depending on the `allowed_cmds` value in
>>> the bpf_token) to act on behalf of the `creator_sid`.
>>>
>>> Example SELinux policy:
>>> allow test_bpf_t self:bpf {
>>> map_create map_read map_write prog_load prog_run
>>> map_create_as prog_load_as
>>> };
>>>
>>> Additionally, a new policy capability bpf_token_perms is added to ensure
>>> backward compatibility. If disabled, previous behavior ((checks based on
>>> current process SID)) is preserved.
>>>
>>> Signed-off-by: Eric Suen <ericsu@linux.microsoft.com>
>>> ---
>>> Changes in v2:
>>> - Fixed bug in selinux_bpffs_creator_sid(u32 fd) where it retrieved
>>> creator_sid from wrong file descriptor
>>> - Removed unnecessary checks for null, per review comments from
>>> the first patch
>>>
>>> Changes in v3:
>>> - Removed check for 'sid == SECSID_NULL' in selinux_bpf_token_create and
>>> allow it to fall through to the permission checks which will fail as
>>> access denied to unlabeled_t
>>>
>>> Changes in v4:
>>> - Added initialization of creator_sid in selinux_sb_alloc_security
>>> - Enabled handling of creator_sid in selinux_cmp_sb_context and
>>> selinux_sb_clone_mnt_opts
>>> - Minor updates based on review comments
>>>
>>> security/selinux/hooks.c | 93 +++++++++++++++++++++-
>>> security/selinux/include/classmap.h | 2 +-
>>> security/selinux/include/objsec.h | 2 +
>>> security/selinux/include/policycap.h | 1 +
>>> security/selinux/include/policycap_names.h | 1 +
>>> security/selinux/include/security.h | 6 ++
>>> 6 files changed, 102 insertions(+), 3 deletions(-)
>>>
>> What is this patch relative to? Didn't apply for me on
>> selinux/dev-staging or selinux/dev.
>> Optimally should target selinux/dev-staging at this point since it has
>> the memfd patch and hence its policy capability defined, and your new
>> one should go after that one.
Let me move to dev-staging and send out a new patch.
>>
>> Also, did you ever explain why your implementation lacks a
>> bpf_token_capable() hook and whether that still needs to be addressed?
Just looked the code and I believe it's better to have this function
implemented.
> Also, if you could re-base your libsepol patch on the latest selinux
> userspace, updating your policy capability definition there as well,
> that would help with testing.
Sure, will do.
prev parent reply other threads:[~2025-10-08 22:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-06 17:22 [PATCH v4] SELinux: Add support for BPF token access control Eric Suen
2025-10-06 19:00 ` Stephen Smalley
2025-10-06 19:11 ` Stephen Smalley
2025-10-08 22:20 ` Eric Suen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe6f4419-06be-4169-b694-b2ba26c7f141@linux.microsoft.com \
--to=ericsu@linux.microsoft.com \
--cc=danieldurning.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.