[BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

[BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

[Vitaly Chikunov]

Hi,

We have boot failure when CONFIG_LSM has "bpf" listed before "selinux"
(without bpf lsm scripts loaded). (This also happens with a boot with
"security=selinux" if selinux was not in LSM= list but bpf is.)

systemd reports on the failing boot attempt:

  Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/shm: Invalid argument
  Mounting tmpfs to /dev/shm of type tmpfs with options mode=01777.
  Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777")...
  Failed to mount tmpfs (type tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777"): No such file or directory
  Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/pts: Invalid argument
  Mounting devpts to /dev/pts of type devpts with options mode=0620,gid=5.
  Mounting devpts (devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5")...
  Failed to mount devpts (type devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5"): No such file or directory
  No filesystem is currently mounted on /sys/fs/cgroup.
  Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/cgroup: Invalid argument
  Mounting cgroup2 to /sys/fs/cgroup of type cgroup2 with options nsdelegate,memory_recursiveprot.
  Mounting cgroup2 (cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot")...
  Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/pstore: Invalid argument
  Mounting pstore to /sys/fs/pstore of type pstore with options n/a.
  Mounting pstore (pstore) on /sys/fs/pstore (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
  Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/bpf: Invalid argument
  Mounting bpf to /sys/fs/bpf of type bpf with options mode=0700.
  Mounting bpf (bpf) on /sys/fs/bpf (MS_NOSUID|MS_NODEV|MS_NOEXEC "mode=0700")...
  [!!!!!!] Failed to mount API filesystems.
  Freezing execution

'Invalid arguments' seems from setfscreatecon_raw.

Reproducer:

  Boot with lsm=lockdown,capability,landlock,yama,safesetid,bpf,selinux,ima,evm

  (none):~# cat /proc/thread-self/attr/current
  cat: /proc/thread-self/attr/current: Invalid argument
  (none):~# echo > /proc/thread-self/attr/fscreate
  bash: echo: write error: Invalid argument

This appears to be caused by security_getprocattr / security_setprocattr
iterating until the first hook defined (which is bpf) and returning with
default value -EINVAL before selinux even sees them.

Perhaps, bpf LSM should avoid registering getprocattr/setprocattr hooks
that it does not implement, or the legacy LSM_ID_UNDEF procattr dispatch
should skip LSMs that cannot handle the requested attribute and continue
to seLinux (or whatever).

Thanks,

Re: [BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

[Paul Moore]

On Sun, May 10, 2026 at 5:17 PM Vitaly Chikunov <vt@altlinux.org> wrote:
>
> Hi,
>
> We have boot failure when CONFIG_LSM has "bpf" listed before "selinux"
> (without bpf lsm scripts loaded). (This also happens with a boot with
> "security=selinux" if selinux was not in LSM= list but bpf is.)
>
> systemd reports on the failing boot attempt:
>
>   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/shm: Invalid argument
>   Mounting tmpfs to /dev/shm of type tmpfs with options mode=01777.
>   Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777")...
>   Failed to mount tmpfs (type tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777"): No such file or directory
>   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/pts: Invalid argument
>   Mounting devpts to /dev/pts of type devpts with options mode=0620,gid=5.
>   Mounting devpts (devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5")...
>   Failed to mount devpts (type devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5"): No such file or directory
>   No filesystem is currently mounted on /sys/fs/cgroup.
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/cgroup: Invalid argument
>   Mounting cgroup2 to /sys/fs/cgroup of type cgroup2 with options nsdelegate,memory_recursiveprot.
>   Mounting cgroup2 (cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot")...
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/pstore: Invalid argument
>   Mounting pstore to /sys/fs/pstore of type pstore with options n/a.
>   Mounting pstore (pstore) on /sys/fs/pstore (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/bpf: Invalid argument
>   Mounting bpf to /sys/fs/bpf of type bpf with options mode=0700.
>   Mounting bpf (bpf) on /sys/fs/bpf (MS_NOSUID|MS_NODEV|MS_NOEXEC "mode=0700")...
>   [!!!!!!] Failed to mount API filesystems.
>   Freezing execution
>
> 'Invalid arguments' seems from setfscreatecon_raw.
>
> Reproducer:
>
>   Boot with lsm=lockdown,capability,landlock,yama,safesetid,bpf,selinux,ima,evm
>
>   (none):~# cat /proc/thread-self/attr/current
>   cat: /proc/thread-self/attr/current: Invalid argument
>   (none):~# echo > /proc/thread-self/attr/fscreate
>   bash: echo: write error: Invalid argument
>
> This appears to be caused by security_getprocattr / security_setprocattr
> iterating until the first hook defined (which is bpf) and returning with
> default value -EINVAL before selinux even sees them.

Thanks for the problem report, the general recommendation is to place
the BPF LSM towards the end of the list (see the CONFIG_LSM Kconfig
help text), but we're trying to ensure that the BPF LSM works properly
when placed anywhere in that list.

My apologies if you're abilities are well beyond this, but if you are
familiar with patching and building your own kernel, have you tried
changing the LSM_RET_DEFAULT value for those functions to zero/0?
Assuming userspace is happy with that, I believe it may solve this
problem.

-- 
paul-moore.com

Re: [BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

[Vitaly Chikunov]

Paul,

On Mon, May 11, 2026 at 04:19:34PM -0400, Paul Moore wrote:
> On Sun, May 10, 2026 at 5:17 PM Vitaly Chikunov <vt@altlinux.org> wrote:
> >
> > Hi,
> >
> > We have boot failure when CONFIG_LSM has "bpf" listed before "selinux"
> > (without bpf lsm scripts loaded). (This also happens with a boot with
> > "security=selinux" if selinux was not in LSM= list but bpf is.)
> >
> > systemd reports on the failing boot attempt:
> >
> >   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/shm: Invalid argument
> >   Mounting tmpfs to /dev/shm of type tmpfs with options mode=01777.
> >   Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777")...
> >   Failed to mount tmpfs (type tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777"): No such file or directory
> >   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/pts: Invalid argument
> >   Mounting devpts to /dev/pts of type devpts with options mode=0620,gid=5.
> >   Mounting devpts (devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5")...
> >   Failed to mount devpts (type devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5"): No such file or directory
> >   No filesystem is currently mounted on /sys/fs/cgroup.
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/cgroup: Invalid argument
> >   Mounting cgroup2 to /sys/fs/cgroup of type cgroup2 with options nsdelegate,memory_recursiveprot.
> >   Mounting cgroup2 (cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot")...
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/pstore: Invalid argument
> >   Mounting pstore to /sys/fs/pstore of type pstore with options n/a.
> >   Mounting pstore (pstore) on /sys/fs/pstore (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
> >   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/bpf: Invalid argument
> >   Mounting bpf to /sys/fs/bpf of type bpf with options mode=0700.
> >   Mounting bpf (bpf) on /sys/fs/bpf (MS_NOSUID|MS_NODEV|MS_NOEXEC "mode=0700")...
> >   [!!!!!!] Failed to mount API filesystems.
> >   Freezing execution
> >
> > 'Invalid arguments' seems from setfscreatecon_raw.
> >
> > Reproducer:
> >
> >   Boot with lsm=lockdown,capability,landlock,yama,safesetid,bpf,selinux,ima,evm
> >
> >   (none):~# cat /proc/thread-self/attr/current
> >   cat: /proc/thread-self/attr/current: Invalid argument
> >   (none):~# echo > /proc/thread-self/attr/fscreate
> >   bash: echo: write error: Invalid argument
> >
> > This appears to be caused by security_getprocattr / security_setprocattr
> > iterating until the first hook defined (which is bpf) and returning with
> > default value -EINVAL before selinux even sees them.
> 
> Thanks for the problem report, the general recommendation is to place
> the BPF LSM towards the end of the list (see the CONFIG_LSM Kconfig
> help text), but we're trying to ensure that the BPF LSM works properly
> when placed anywhere in that list.

I think if the order is important it should be handled in the code like
for capabilities and ima/evm LSMs, not by forcing the user to discover
the correct order with trial and error.

> 
> My apologies if you're abilities are well beyond this, but if you are
> familiar with patching and building your own kernel, have you tried
> changing the LSM_RET_DEFAULT value for those functions to zero/0?
> Assuming userspace is happy with that, I believe it may solve this
> problem.

I can patch and test if this is useful to find the correct solution, but
the description is a bit vague. Did you mean

  include/linux/lsm_hook_defs.h:301:LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name,
  include/linux/lsm_hook_defs.h:303:LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)

In these lines to replace -EINVAL with 0?

I would never try this on my own, because it looks like -EINVAL is a
meaningful value, and I would never claim to understand all the
intricacies of LSMs.

  3892 int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
  3893 {
  3894         struct lsm_static_call *scall;
  3895
  3896         lsm_for_each_hook(scall, setprocattr) {
  3897                 if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
  3898                         continue;
  3899                 return scall->hl->hook.setprocattr(name, value, size);
  3900         }
  3901         return LSM_RET_DEFAULT(setprocattr);
  3902 }

If my first hypothesis is correct, and the lsm_for_each_hook goes into
bpf before selinux, setting the default to 0 will make selinux hook
unreachable.

With all this, I conclude that I perhaps misunderstood your request.

Thanks,

> 
> -- 
> paul-moore.com