[BUG] lsm= with bpf before selinux breaks fscreate with EINVAL

Mon May 11 20:19:34 UTC 2026

On Sun, May 10, 2026 at 5:17 PM Vitaly Chikunov <vt at altlinux.org> wrote:
>
> Hi,
>
> We have boot failure when CONFIG_LSM has "bpf" listed before "selinux"
> (without bpf lsm scripts loaded). (This also happens with a boot with
> "security=selinux" if selinux was not in LSM= list but bpf is.)
>
> systemd reports on the failing boot attempt:
>
>   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/shm: Invalid argument
>   Mounting tmpfs to /dev/shm of type tmpfs with options mode=01777.
>   Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777")...
>   Failed to mount tmpfs (type tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=01777"): No such file or directory
>   Failed to set SELinux security context generic_u:object_r:device:s0 for /dev/pts: Invalid argument
>   Mounting devpts to /dev/pts of type devpts with options mode=0620,gid=5.
>   Mounting devpts (devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5")...
>   Failed to mount devpts (type devpts) on /dev/pts (MS_NOSUID|MS_NOEXEC "mode=0620,gid=5"): No such file or directory
>   No filesystem is currently mounted on /sys/fs/cgroup.
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/cgroup: Invalid argument
>   Mounting cgroup2 to /sys/fs/cgroup of type cgroup2 with options nsdelegate,memory_recursiveprot.
>   Mounting cgroup2 (cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot")...
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/pstore: Invalid argument
>   Mounting pstore to /sys/fs/pstore of type pstore with options n/a.
>   Mounting pstore (pstore) on /sys/fs/pstore (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
>   Failed to set SELinux security context generic_u:object_r:def_t:s0 for /sys/fs/bpf: Invalid argument
>   Mounting bpf to /sys/fs/bpf of type bpf with options mode=0700.
>   Mounting bpf (bpf) on /sys/fs/bpf (MS_NOSUID|MS_NODEV|MS_NOEXEC "mode=0700")...
>   [!!!!!!] Failed to mount API filesystems.
>   Freezing execution
>
> 'Invalid arguments' seems from setfscreatecon_raw.
>
> Reproducer:
>
>   Boot with lsm=lockdown,capability,landlock,yama,safesetid,bpf,selinux,ima,evm
>
>   (none):~# cat /proc/thread-self/attr/current
>   cat: /proc/thread-self/attr/current: Invalid argument
>   (none):~# echo > /proc/thread-self/attr/fscreate
>   bash: echo: write error: Invalid argument
>
> This appears to be caused by security_getprocattr / security_setprocattr
> iterating until the first hook defined (which is bpf) and returning with
> default value -EINVAL before selinux even sees them.

Thanks for the problem report, the general recommendation is to place
the BPF LSM towards the end of the list (see the CONFIG_LSM Kconfig
help text), but we're trying to ensure that the BPF LSM works properly
when placed anywhere in that list.

My apologies if you're abilities are well beyond this, but if you are
familiar with patching and building your own kernel, have you tried
changing the LSM_RET_DEFAULT value for those functions to zero/0?
Assuming userspace is happy with that, I believe it may solve this
problem.

-- 
paul-moore.com