[PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[danieldurning.work]

From: Daniel Durning <danieldurning.work@gmail.com>

Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
For both hooks we check against the token SID, to support
delegation. We could add a further check based on process SID
when the token is first created.

Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
---
 security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 335fbf76cdd2..bffddffe0b25 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7154,6 +7154,52 @@ static void selinux_bpf_token_free(struct bpf_token *token)
 	token->security = NULL;
 	kfree(bpfsec);
 }
+
+static int selinux_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
+{
+	struct bpf_security_struct *bpfsec = token->security;
+	u32 sid = bpfsec->sid;
+	int ret;
+
+	switch (cmd) {
+	case BPF_MAP_CREATE:
+		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
+				   NULL);
+		break;
+	case BPF_PROG_LOAD:
+		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
+				   NULL);
+		break;
+	default:
+		ret = 0;
+		break;
+	}
+
+	return ret;
+}
+
+static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
+{
+	u16 sclass;
+	struct bpf_security_struct *bpfsec = token->security;
+	u32 sid = bpfsec->sid;
+	u32 av = CAP_TO_MASK(cap);
+
+	switch (CAP_TO_INDEX(cap)) {
+	case 0:
+		sclass = SECCLASS_CAP_USERNS;
+		break;
+	case 1:
+		sclass = SECCLASS_CAP2_USERNS;
+		break;
+	default:
+		pr_err("SELinux:  out of range capability %d\n", cap);
+		return -EINVAL;
+	}
+
+	return avc_has_perm(sid, sid, sclass, av, NULL);
+}
+
 #endif
 
 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
@@ -7525,6 +7571,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
 	LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
 	LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
+	LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd),
+	LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable),
 #endif
 
 #ifdef CONFIG_PERF_EVENTS
-- 
2.50.1

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Stephen Smalley]

On Fri, Aug 1, 2025 at 11:49 AM <danieldurning.work@gmail.com> wrote:
>
> From: Daniel Durning <danieldurning.work@gmail.com>
>
> Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
> For both hooks we check against the token SID, to support
> delegation. We could add a further check based on process SID
> when the token is first created.

I agree with the approach - it is consistent with how tokens are used.
I suppose we could perform a process-based check in
selinux_bpf_token_create() if it was generic, or add one to each of
these hooks if we want a different permission for different cmd or cap
values.

We may need to wrap these checks with a new policy capability (see
security/selinux/include/policycap.h and related code) to avoid
breaking compatibility on existing systems using BPF tokens, if any.

>
> Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>

Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com>

> ---
>  security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 335fbf76cdd2..bffddffe0b25 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7154,6 +7154,52 @@ static void selinux_bpf_token_free(struct bpf_token *token)
>         token->security = NULL;
>         kfree(bpfsec);
>  }
> +
> +static int selinux_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
> +{
> +       struct bpf_security_struct *bpfsec = token->security;
> +       u32 sid = bpfsec->sid;
> +       int ret;
> +
> +       switch (cmd) {
> +       case BPF_MAP_CREATE:
> +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
> +                                  NULL);
> +               break;
> +       case BPF_PROG_LOAD:
> +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
> +                                  NULL);
> +               break;
> +       default:
> +               ret = 0;
> +               break;
> +       }
> +
> +       return ret;
> +}
> +
> +static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
> +{
> +       u16 sclass;
> +       struct bpf_security_struct *bpfsec = token->security;
> +       u32 sid = bpfsec->sid;
> +       u32 av = CAP_TO_MASK(cap);
> +
> +       switch (CAP_TO_INDEX(cap)) {
> +       case 0:
> +               sclass = SECCLASS_CAP_USERNS;
> +               break;
> +       case 1:
> +               sclass = SECCLASS_CAP2_USERNS;
> +               break;
> +       default:
> +               pr_err("SELinux:  out of range capability %d\n", cap);
> +               return -EINVAL;
> +       }
> +
> +       return avc_has_perm(sid, sid, sclass, av, NULL);
> +}
> +
>  #endif
>
>  struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
> @@ -7525,6 +7571,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
>         LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
>         LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
>         LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
> +       LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd),
> +       LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable),
>  #endif
>
>  #ifdef CONFIG_PERF_EVENTS
> --
> 2.50.1
>

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Stephen Smalley]

On Fri, Aug 1, 2025 at 2:38 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Aug 1, 2025 at 11:49 AM <danieldurning.work@gmail.com> wrote:
> >
> > From: Daniel Durning <danieldurning.work@gmail.com>
> >
> > Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
> > For both hooks we check against the token SID, to support
> > delegation. We could add a further check based on process SID
> > when the token is first created.
>
> I agree with the approach - it is consistent with how tokens are used.
> I suppose we could perform a process-based check in
> selinux_bpf_token_create() if it was generic, or add one to each of
> these hooks if we want a different permission for different cmd or cap
> values.

Ah, actually that doesn't look viable at least for the token capable
checks, since those look like they can occur from outside of process
context if I am reading the code correctly.

>
> We may need to wrap these checks with a new policy capability (see
> security/selinux/include/policycap.h and related code) to avoid
> breaking compatibility on existing systems using BPF tokens, if any.
>
> >
> > Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
>
> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> > ---
> >  security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 48 insertions(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 335fbf76cdd2..bffddffe0b25 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -7154,6 +7154,52 @@ static void selinux_bpf_token_free(struct bpf_token *token)
> >         token->security = NULL;
> >         kfree(bpfsec);
> >  }
> > +
> > +static int selinux_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
> > +{
> > +       struct bpf_security_struct *bpfsec = token->security;
> > +       u32 sid = bpfsec->sid;
> > +       int ret;
> > +
> > +       switch (cmd) {
> > +       case BPF_MAP_CREATE:
> > +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
> > +                                  NULL);
> > +               break;
> > +       case BPF_PROG_LOAD:
> > +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
> > +                                  NULL);
> > +               break;
> > +       default:
> > +               ret = 0;
> > +               break;
> > +       }
> > +
> > +       return ret;
> > +}
> > +
> > +static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
> > +{
> > +       u16 sclass;
> > +       struct bpf_security_struct *bpfsec = token->security;
> > +       u32 sid = bpfsec->sid;
> > +       u32 av = CAP_TO_MASK(cap);
> > +
> > +       switch (CAP_TO_INDEX(cap)) {
> > +       case 0:
> > +               sclass = SECCLASS_CAP_USERNS;
> > +               break;
> > +       case 1:
> > +               sclass = SECCLASS_CAP2_USERNS;
> > +               break;
> > +       default:
> > +               pr_err("SELinux:  out of range capability %d\n", cap);
> > +               return -EINVAL;
> > +       }
> > +
> > +       return avc_has_perm(sid, sid, sclass, av, NULL);
> > +}
> > +
> >  #endif
> >
> >  struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
> > @@ -7525,6 +7571,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> >         LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
> >         LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
> >         LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
> > +       LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd),
> > +       LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable),
> >  #endif
> >
> >  #ifdef CONFIG_PERF_EVENTS
> > --
> > 2.50.1
> >

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Paul Moore]

On August 1, 2025 3:30:02 PM Stephen Smalley 
<stephen.smalley.work@gmail.com> wrote:
> On Fri, Aug 1, 2025 at 2:38 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
>>
>> On Fri, Aug 1, 2025 at 11:49 AM <danieldurning.work@gmail.com> wrote:
>>>
>>> From: Daniel Durning <danieldurning.work@gmail.com>
>>>
>>> Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
>>> For both hooks we check against the token SID, to support
>>> delegation. We could add a further check based on process SID
>>> when the token is first created.
>>
>> I agree with the approach - it is consistent with how tokens are used.
>> I suppose we could perform a process-based check in
>> selinux_bpf_token_create() if it was generic, or add one to each of
>> these hooks if we want a different permission for different cmd or cap
>> values.
>
> Ah, actually that doesn't look viable at least for the token capable
> checks, since those look like they can occur from outside of process
> context if I am reading the code correctly.
>>>

Eric Suen has also been working on a SELinux BPF token implementation too, 
and I believe he is planning to post it upstream for review soon.

I do expect we'll need to have a discussion about the access controls, 
especially the labels involved, as BPF tokens are quite bit different from 
many of the other SELinux access controls.

--
paul-moore.com

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Stephen Smalley]

On Sun, Aug 3, 2025 at 8:29 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On August 1, 2025 3:30:02 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > On Fri, Aug 1, 2025 at 2:38 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> >>
> >> On Fri, Aug 1, 2025 at 11:49 AM <danieldurning.work@gmail.com> wrote:
> >>>
> >>> From: Daniel Durning <danieldurning.work@gmail.com>
> >>>
> >>> Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
> >>> For both hooks we check against the token SID, to support
> >>> delegation. We could add a further check based on process SID
> >>> when the token is first created.
> >>
> >> I agree with the approach - it is consistent with how tokens are used.
> >> I suppose we could perform a process-based check in
> >> selinux_bpf_token_create() if it was generic, or add one to each of
> >> these hooks if we want a different permission for different cmd or cap
> >> values.
> >
> > Ah, actually that doesn't look viable at least for the token capable
> > checks, since those look like they can occur from outside of process
> > context if I am reading the code correctly.
> >>>
>
> Eric Suen has also been working on a SELinux BPF token implementation too,
> and I believe he is planning to post it upstream for review soon.
>
> I do expect we'll need to have a discussion about the access controls,
> especially the labels involved, as BPF tokens are quite bit different from
> many of the other SELinux access controls.

Eric - note that Daniel also posted a patch for the selinux-testsuite
to exercise these hooks and checks based on the Linux kernel self-test
for bpf tokens, see
https://lore.kernel.org/selinux/CAEjxPJ7DBDnZEFvgpe58K4B+4kZdOqUGMHvGC2vKt-4Zget=Hg@mail.gmail.com/T/#t

Paul - it would be good to avoid such duplication of effort in the
future, maybe we should be tracking such things in the GitHub project?

>
> --
> paul-moore.com
>
>
>

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Paul Moore]

On Mon, Aug 4, 2025 at 8:18 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> Eric - note that Daniel also posted a patch for the selinux-testsuite
> to exercise these hooks and checks based on the Linux kernel self-test
> for bpf tokens, see
> https://lore.kernel.org/selinux/CAEjxPJ7DBDnZEFvgpe58K4B+4kZdOqUGMHvGC2vKt-4Zget=Hg@mail.gmail.com/T/#t

FWIW, I believe Eric has some basic tests too, although I will admit
to losing track of that aspect, as we have had several months of
setbacks lately due to package building, email, etc.

> Paul - it would be good to avoid such duplication of effort in the
> future, maybe we should be tracking such things in the GitHub project?

Yes, it's unfortunate when we see duplicated work, but thankfully it
happens very rarely in our case.  We can track things on GitHub, but
with development happening largely on the mailing list I'm skeptical
about how successful that will end up being.  Our GH related efforts
have been very mixed thus far.  Another option might simply be to tell
people to announce a development effort on the mailing list, although
I can see that having problems too.

If there are some positives, it may be that both Daniel and Eric's
work are still in the early stages, so there is likely room for the
two of them to cooperate together on a solution.  Daniel, Eric, what
do you think about that?

-- 
paul-moore.com

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Daniel Durning]

On Mon, Aug 4, 2025 at 4:13 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Mon, Aug 4, 2025 at 8:18 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > Eric - note that Daniel also posted a patch for the selinux-testsuite
> > to exercise these hooks and checks based on the Linux kernel self-test
> > for bpf tokens, see
> > https://lore.kernel.org/selinux/CAEjxPJ7DBDnZEFvgpe58K4B+4kZdOqUGMHvGC2vKt-4Zget=Hg@mail.gmail.com/T/#t
>
> FWIW, I believe Eric has some basic tests too, although I will admit
> to losing track of that aspect, as we have had several months of
> setbacks lately due to package building, email, etc.
>
> > Paul - it would be good to avoid such duplication of effort in the
> > future, maybe we should be tracking such things in the GitHub project?
>
> Yes, it's unfortunate when we see duplicated work, but thankfully it
> happens very rarely in our case.  We can track things on GitHub, but
> with development happening largely on the mailing list I'm skeptical
> about how successful that will end up being.  Our GH related efforts
> have been very mixed thus far.  Another option might simply be to tell
> people to announce a development effort on the mailing list, although
> I can see that having problems too.
>
> If there are some positives, it may be that both Daniel and Eric's
> work are still in the early stages, so there is likely room for the
> two of them to cooperate together on a solution.  Daniel, Eric, what
> do you think about that?

I would be happy to work with Eric on a solution. Looking forward to
seeing his patch once it gets posted.

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Eric Suen]

On 8/5/2025 7:17 AM, Daniel Durning wrote:
> On Mon, Aug 4, 2025 at 4:13 PM Paul Moore<paul@paul-moore.com> wrote:
>> On Mon, Aug 4, 2025 at 8:18 AM Stephen Smalley
>> <stephen.smalley.work@gmail.com> wrote:
>>> Eric - note that Daniel also posted a patch for the selinux-testsuite
>>> to exercise these hooks and checks based on the Linux kernel self-test
>>> for bpf tokens, see
>>> https://lore.kernel.org/selinux/CAEjxPJ7DBDnZEFvgpe58K4B+4kZdOqUGMHvGC2vKt-4Zget=Hg@mail.gmail.com/T/#t
>> FWIW, I believe Eric has some basic tests too, although I will admit
>> to losing track of that aspect, as we have had several months of
>> setbacks lately due to package building, email, etc.
>>
>>> Paul - it would be good to avoid such duplication of effort in the
>>> future, maybe we should be tracking such things in the GitHub project?
>> Yes, it's unfortunate when we see duplicated work, but thankfully it
>> happens very rarely in our case.  We can track things on GitHub, but
>> with development happening largely on the mailing list I'm skeptical
>> about how successful that will end up being.  Our GH related efforts
>> have been very mixed thus far.  Another option might simply be to tell
>> people to announce a development effort on the mailing list, although
>> I can see that having problems too.
>>
>> If there are some positives, it may be that both Daniel and Eric's
>> work are still in the early stages, so there is likely room for the
>> two of them to cooperate together on a solution.  Daniel, Eric, what
>> do you think about that?
> I would be happy to work with Eric on a solution. Looking forward to
> seeing his patch once it gets posted.

Thanks a lot, Daniel. I was actually hesitant to send out my changes 
since you

already have test changes prepared, and I didn’t want to step on your toes.

Really appreciate your openness to collaborate.

I'll send out my patch soon and make sure to reference your test work in the

description.

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Eric Suen]

On 8/5/2025 11:19 AM, Eric Suen wrote:
> On 8/5/2025 7:17 AM, Daniel Durning wrote:
>> On Mon, Aug 4, 2025 at 4:13 PM Paul Moore<paul@paul-moore.com> wrote:
>>> On Mon, Aug 4, 2025 at 8:18 AM Stephen Smalley
>>> <stephen.smalley.work@gmail.com> wrote:
>>>> Eric - note that Daniel also posted a patch for the selinux-testsuite
>>>> to exercise these hooks and checks based on the Linux kernel self-test
>>>> for bpf tokens, see
>>>> https://lore.kernel.org/selinux/CAEjxPJ7DBDnZEFvgpe58K4B+4kZdOqUGMHvGC2vKt-4Zget=Hg@mail.gmail.com/T/#t 
>>>>
>>> FWIW, I believe Eric has some basic tests too, although I will admit
>>> to losing track of that aspect, as we have had several months of
>>> setbacks lately due to package building, email, etc.
>>>
>>>> Paul - it would be good to avoid such duplication of effort in the
>>>> future, maybe we should be tracking such things in the GitHub project?
>>> Yes, it's unfortunate when we see duplicated work, but thankfully it
>>> happens very rarely in our case.  We can track things on GitHub, but
>>> with development happening largely on the mailing list I'm skeptical
>>> about how successful that will end up being.  Our GH related efforts
>>> have been very mixed thus far.  Another option might simply be to tell
>>> people to announce a development effort on the mailing list, although
>>> I can see that having problems too.
>>>
>>> If there are some positives, it may be that both Daniel and Eric's
>>> work are still in the early stages, so there is likely room for the
>>> two of them to cooperate together on a solution.  Daniel, Eric, what
>>> do you think about that?
>> I would be happy to work with Eric on a solution. Looking forward to
>> seeing his patch once it gets posted.
>
> Thanks a lot, Daniel. I was actually hesitant to send out my changes 
> since you
>
> already have test changes prepared, and I didn’t want to step on your 
> toes.
>
> Really appreciate your openness to collaborate.
>
> I'll send out my patch soon and make sure to reference your test work 
> in the
>
> description.
>
>
Daniel - I just posted my patch. It's available here: 
https://lore.kernel.org/selinux/20250806180149.1995-1-ericsu@linux.microsoft.com/

Over the next couple of days, I'll build and run your test changes 
against it to check for any unexpected issues.

Re: [PATCH] selinux: implement bpf_token_cmd and bpf_token_capable hooks

[Stephen Smalley]

On Fri, Aug 1, 2025 at 2:38 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Aug 1, 2025 at 11:49 AM <danieldurning.work@gmail.com> wrote:
> >
> > From: Daniel Durning <danieldurning.work@gmail.com>
> >
> > Implement bpf_token_cmd and bpf_token_capable hooks for SELinux.
> > For both hooks we check against the token SID, to support
> > delegation. We could add a further check based on process SID
> > when the token is first created.
>
> I agree with the approach - it is consistent with how tokens are used.
> I suppose we could perform a process-based check in
> selinux_bpf_token_create() if it was generic, or add one to each of
> these hooks if we want a different permission for different cmd or cap
> values.
>
> We may need to wrap these checks with a new policy capability (see
> security/selinux/include/policycap.h and related code) to avoid
> breaking compatibility on existing systems using BPF tokens, if any.

I have added some notes with links to examples of how to add a new
SELinux policy capability to the SELinux kernel Getting Started guide
at:
https://github.com/SELinuxProject/selinux-kernel/wiki/Getting-Started#adding-a-new-selinux-policy-capability

>
> >
> > Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
>
> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> > ---
> >  security/selinux/hooks.c | 48 ++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 48 insertions(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 335fbf76cdd2..bffddffe0b25 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -7154,6 +7154,52 @@ static void selinux_bpf_token_free(struct bpf_token *token)
> >         token->security = NULL;
> >         kfree(bpfsec);
> >  }
> > +
> > +static int selinux_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
> > +{
> > +       struct bpf_security_struct *bpfsec = token->security;
> > +       u32 sid = bpfsec->sid;
> > +       int ret;
> > +
> > +       switch (cmd) {
> > +       case BPF_MAP_CREATE:
> > +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
> > +                                  NULL);
> > +               break;
> > +       case BPF_PROG_LOAD:
> > +               ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
> > +                                  NULL);
> > +               break;
> > +       default:
> > +               ret = 0;
> > +               break;
> > +       }
> > +
> > +       return ret;
> > +}
> > +
> > +static int selinux_bpf_token_capable(const struct bpf_token *token, int cap)
> > +{
> > +       u16 sclass;
> > +       struct bpf_security_struct *bpfsec = token->security;
> > +       u32 sid = bpfsec->sid;
> > +       u32 av = CAP_TO_MASK(cap);
> > +
> > +       switch (CAP_TO_INDEX(cap)) {
> > +       case 0:
> > +               sclass = SECCLASS_CAP_USERNS;
> > +               break;
> > +       case 1:
> > +               sclass = SECCLASS_CAP2_USERNS;
> > +               break;
> > +       default:
> > +               pr_err("SELinux:  out of range capability %d\n", cap);
> > +               return -EINVAL;
> > +       }
> > +
> > +       return avc_has_perm(sid, sid, sclass, av, NULL);
> > +}
> > +
> >  #endif
> >
> >  struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
> > @@ -7525,6 +7571,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> >         LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
> >         LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
> >         LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
> > +       LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd),
> > +       LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable),
> >  #endif
> >
> >  #ifdef CONFIG_PERF_EVENTS
> > --
> > 2.50.1
> >