diff options
| author | Chenbo Feng <fengc@google.com> | 2017-10-18 13:00:25 -0700 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2022-04-19 00:51:16 +0300 |
| commit | 5dd97a8acaf41266d17eb2aa743f9e6dc6f5ffaf (patch) | |
| tree | 99d7d87b73f3ba2646d4b9369117cfd05441f135 /security/selinux/include/classmap.h | |
| parent | 6d6e905c034ae2c025f08a3ef16aaa214aec662f (diff) | |
UPSTREAM: selinux: bpf: Add selinux check for eBPF syscall operations
Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processes have the right privileges. The creation
of eBPF object are also checked at the general bpf check hook and new
cmd introduced to eBPF domain can also be checked there.
Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry-pick from net-next: ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb)
Bug: 30950746
Change-Id: Ifb0cdd4b7d470223b143646b339ba511ac77c156
Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Change-Id: I073b5ebe76a280267289357af2b5d8f3afcaffa4
Diffstat (limited to 'security/selinux/include/classmap.h')
| -rw-r--r-- | security/selinux/include/classmap.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 8a764f40730b..452851981cb8 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -157,6 +157,8 @@ struct security_class_mapping secclass_map[] = { { COMMON_SOCK_PERMS, "attach_queue", NULL } }, { "binder", { "impersonate", "call", "set_context_mgr", "transfer", NULL } }, + { "bpf", + { "map_create", "map_read", "map_write", "prog_load", "prog_run" } }, { "can_socket", { COMMON_SOCK_PERMS, NULL } }, { NULL } |