BACKPORT: FROMGIT: selinux: enable per-file labeling for functionfs
This patch adds support for genfscon per-file labeling of functionfs files as well as support for userspace to apply labels after new functionfs endpoints are created. This allows for separate labels and therefore access control on a per-endpoint basis. An example use case would be for the default endpoint EP0 used as a restricted control endpoint, and additional usb endpoints to be used by other more permissive domains. It should be noted that if there are multiple functionfs mounts on a system, genfs file labels will apply to all mounts, and therefore will not likely be as useful as the userspace relabeling portion of this patch - the addition to selinux_is_genfs_special_handling(). This patch introduces the functionfs_seclabel policycap to maintain existing functionfs genfscon behavior unless explicitly enabled. Signed-off-by:Neill Kapron <nkapron@google.com> Acked-by:
Stephen Smalley <stephen.smalley.work@gmail.com> [PM: trim changelog from description] Signed-off-by:
Paul Moore <paul@paul-moore.com> Bug: 407985367 Bug: 416223903 Link: https://lore.kernel.org/selinux/20250828170317.2322582-1-nkapron@google.com (cherry picked from commit 1b22454bb5e6857ddbc3a10ae57493fcface16e5 https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next) [nkapron@google.com: removed functionfs policycap due to ABI breakage] Change-Id: I87c5da0e16b54d8ba61407073e0187fb8ded0978 Signed-off-by:
Loading
Please sign in to comment