diff options
| author | Neill Kapron <nkapron@google.com> | 2025-08-28 17:03:15 +0000 | 
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2025-09-07 12:54:56 -0400 | 
| commit | 68e1e908cb7682db9fb7f79907f9352435a81c0f (patch) | |
| tree | 17613d161517fe475086cd1c0dedea5eba4b620d /security/selinux/hooks.c | |
| parent | 59ffc9beeb8b332940d36f4b9803352b7f893f5a (diff) | |
selinux: enable per-file labeling for functionfs
This patch adds support for genfscon per-file labeling of functionfs
files as well as support for userspace to apply labels after new
functionfs endpoints are created.
This allows for separate labels and therefore access control on a
per-endpoint basis. An example use case would be for the default
endpoint EP0 used as a restricted control endpoint, and additional
usb endpoints to be used by other more permissive domains.
It should be noted that if there are multiple functionfs mounts on a
system, genfs file labels will apply to all mounts, and therefore will not
likely be as useful as the userspace relabeling portion of this patch -
the addition to selinux_is_genfs_special_handling().
This patch introduces the functionfs_seclabel policycap to maintain
existing functionfs genfscon behavior unless explicitly enabled.
Signed-off-by: Neill Kapron <nkapron@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: trim changelog, apply boolean logic fixup]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 8 | 
1 files changed, 6 insertions, 2 deletions
| diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e474cd7398ef..0e47b4bb8d40 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -476,7 +476,9 @@ static int selinux_is_genfs_special_handling(struct super_block *sb)  		!strcmp(sb->s_type->name, "rootfs") ||  		(selinux_policycap_cgroupseclabel() &&  		 (!strcmp(sb->s_type->name, "cgroup") || -		  !strcmp(sb->s_type->name, "cgroup2"))); +		  !strcmp(sb->s_type->name, "cgroup2"))) || +		(selinux_policycap_functionfs_seclabel() && +		 !strcmp(sb->s_type->name, "functionfs"));  }  static int selinux_is_sblabel_mnt(struct super_block *sb) @@ -741,7 +743,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,  	    !strcmp(sb->s_type->name, "binder") ||  	    !strcmp(sb->s_type->name, "bpf") ||  	    !strcmp(sb->s_type->name, "pstore") || -	    !strcmp(sb->s_type->name, "securityfs")) +	    !strcmp(sb->s_type->name, "securityfs") || +	    (selinux_policycap_functionfs_seclabel() && +	     !strcmp(sb->s_type->name, "functionfs")))  		sbsec->flags |= SE_SBGENFS;  	if (!strcmp(sb->s_type->name, "sysfs") || | 
