From: danieldurning.work@gmail.com
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, stephen.smalley.work@gmail.com, omosnace@redhat.com
Subject: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks
Date: Fri, 1 Aug 2025 15:46:37 +0000 [thread overview]
Message-ID: <20250801154637.143931-1-danieldurning.work@gmail.com> (raw)
From: Daniel Durning <danieldurning.work@gmail.com>
Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
For both hooks we check against the token SID, to support
delegation. We could add a further check based on process SID
when the token is first created.
Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
---
security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 335fbf76cdd2..bffddffe0b25 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7154,6 +7154,52 @@ static void selinux_bpf_token_free(struct bpf_token *token)
token->security = NULL;
kfree(bpfsec);
}
+
+static int selinux_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
+{
+ struct bpf_security_struct *bpfsec = token->security;
+ u32 sid = bpfsec->sid;
+ int ret;
+
+ switch (cmd) {
+ case BPF_MAP_CREATE:
+ ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
+ NULL);
+ break;
+ case BPF_PROG_LOAD:
+ ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
+ NULL);
+ break;
+ default:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
+{
+ u16 sclass;
+ struct bpf_security_struct *bpfsec = token->security;
+ u32 sid = bpfsec->sid;
+ u32 av = CAP_TO_MASK(cap);
+
+ switch (CAP_TO_INDEX(cap)) {
+ case 0:
+ sclass = SECCLASS_CAP_USERNS;
+ break;
+ case 1:
+ sclass = SECCLASS_CAP2_USERNS;
+ break;
+ default:
+ pr_err("SELinux: out of range capability %d\n", cap);
+ return -EINVAL;
+ }
+
+ return avc_has_perm(sid, sid, sclass, av, NULL);
+}
+
#endif
struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
@@ -7525,6 +7571,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
+ LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd),
+ LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable),
#endif
#ifdef CONFIG_PERF_EVENTS
--
2.50.1
next reply other threads:[~2025-08-01 15:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-01 15:46 danieldurning.work [this message]
2025-08-01 18:38 ` [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks Stephen Smalley
2025-08-01 19:29 ` Stephen Smalley
2025-08-03 12:28 ` Paul Moore
2025-08-04 12:18 ` Stephen Smalley
2025-08-04 20:13 ` Paul Moore
2025-08-05 14:17 ` Daniel Durning
2025-08-05 18:19 ` Eric Suen
2025-08-06 18:30 ` Eric Suen
2025-08-04 13:20 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250801154637.143931-1-danieldurning.work@gmail.com \
--to=danieldurning.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).