BACKPORT: FROMGIT: selinux: enable per-file labeling for functionfs
This patch adds support for genfscon per-file labeling of functionfs files as well as support for userspace to apply labels after new functionfs endpoints are created. This allows for separate labels and therefore access control on a per-endpoint basis. An example use case would be for the default endpoint EP0 used as a restricted control endpoint, and additional usb endpoints to be used by other more permissive domains. It should be noted that if there are multiple functionfs mounts on a system, genfs file labels will apply to all mounts, and therefore will not likely be as useful as the userspace relabeling portion of this patch - the addition to selinux_is_genfs_special_handling(). This patch introduces the functionfs_seclabel policycap to maintain existing functionfs genfscon behavior unless explicitly enabled. Signed-off-by:Neill Kapron <nkapron@google.com> Acked-by:
Stephen Smalley <stephen.smalley.work@gmail.com> [PM: trim changelog, apply boolean logic fixup] Signed-off-by:
Paul Moore <paul@paul-moore.com> Bug: 407985367 Bug: 416223903 Link: https://lore.kernel.org/selinux/20250828170317.2322582-1-nkapron@google.com (cherry picked from commit 68e1e908 https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next) [nkapron@google.com: removed functionfs policycap due to ABI breakage] Signed-off-by:
Loading
Please sign in to comment