From 5dd97a8acaf41266d17eb2aa743f9e6dc6f5ffaf Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Wed, 18 Oct 2017 13:00:25 -0700
Subject: UPSTREAM: selinux: bpf: Add selinux check for eBPF syscall operations

Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processes have the right privileges. The creation
of eBPF object are also checked at the general bpf check hook and new
cmd introduced to eBPF domain can also be checked there.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry-pick from net-next: ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb)
Bug: 30950746
Change-Id: Ifb0cdd4b7d470223b143646b339ba511ac77c156

Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Change-Id: I073b5ebe76a280267289357af2b5d8f3afcaffa4
---
 security/selinux/include/classmap.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'security/selinux/include/classmap.h')

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 8a764f40730b..452851981cb8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -157,6 +157,8 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },
 	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
 		      NULL } },
+	{ "bpf",
+	  { "map_create", "map_read", "map_write", "prog_load", "prog_run" } },
 	{ "can_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ NULL }
-- 
cgit v1.2.3