This adds the necessary userspace pieces to support the
functionfs_seclabel policycap which enables per-file labels in
functionfs and the ability for userspace to apply the labels.

With the policycap disabled, legacy behaviors are maintained and
per-file labeling is disallowed.

Signed-off-by: Neill Kapron <nkapron@google.com>

Changes since v2:
- Sending as separate patches
---
 libsepol/include/sepol/policydb/polcaps.h | 1 +
 libsepol/src/polcaps.c                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index 0835ea21..bbaebf1a 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -19,6 +19,7 @@ enum {
 	POLICYDB_CAP_NETLINK_XPERM,
 	POLICYDB_CAP_NETIF_WILDCARD,
 	POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
+	POLICYDB_CAP_FUNCTIONFS_SECLABEL,
 	__POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 7ac0ae7c..83eb6143 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
 	[POLICYDB_CAP_NETLINK_XPERM]			= "netlink_xperm",
 	[POLICYDB_CAP_NETIF_WILDCARD]			= "netif_wildcard",
 	[POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]		= "genfs_seclabel_wildcard",
+	[POLICYDB_CAP_FUNCTIONFS_SECLABEL]		= "functionfs_seclabel",
 };
 
 int sepol_polcap_getnum(const char *name)
-- 
2.51.0.318.gd7df087d1a-goog

On Thu, Aug 28, 2025 at 1:05 PM Neill Kapron <nkapron@google.com> wrote:
>
> This adds the necessary userspace pieces to support the
> functionfs_seclabel policycap which enables per-file labels in
> functionfs and the ability for userspace to apply the labels.
>
> With the policycap disabled, legacy behaviors are maintained and
> per-file labeling is disallowed.
>
> Signed-off-by: Neill Kapron <nkapron@google.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

>
> Changes since v2:
> - Sending as separate patches
> ---
>  libsepol/include/sepol/policydb/polcaps.h | 1 +
>  libsepol/src/polcaps.c                    | 1 +
>  2 files changed, 2 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> index 0835ea21..bbaebf1a 100644
> --- a/libsepol/include/sepol/policydb/polcaps.h
> +++ b/libsepol/include/sepol/policydb/polcaps.h
> @@ -19,6 +19,7 @@ enum {
>         POLICYDB_CAP_NETLINK_XPERM,
>         POLICYDB_CAP_NETIF_WILDCARD,
>         POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
> +       POLICYDB_CAP_FUNCTIONFS_SECLABEL,
>         __POLICYDB_CAP_MAX
>  };
>  #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
> diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> index 7ac0ae7c..83eb6143 100644
> --- a/libsepol/src/polcaps.c
> +++ b/libsepol/src/polcaps.c
> @@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
>         [POLICYDB_CAP_NETLINK_XPERM]                    = "netlink_xperm",
>         [POLICYDB_CAP_NETIF_WILDCARD]                   = "netif_wildcard",
>         [POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]          = "genfs_seclabel_wildcard",
> +       [POLICYDB_CAP_FUNCTIONFS_SECLABEL]              = "functionfs_seclabel",
>  };
>
>  int sepol_polcap_getnum(const char *name)
> --
> 2.51.0.318.gd7df087d1a-goog
>

On Wed, Sep 10, 2025 at 10:11 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Aug 28, 2025 at 1:05 PM Neill Kapron <nkapron@google.com> wrote:
> >
> > This adds the necessary userspace pieces to support the
> > functionfs_seclabel policycap which enables per-file labels in
> > functionfs and the ability for userspace to apply the labels.
> >
> > With the policycap disabled, legacy behaviors are maintained and
> > per-file labeling is disallowed.
> >
> > Signed-off-by: Neill Kapron <nkapron@google.com>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Thanks, merged.
>
> >
> > Changes since v2:
> > - Sending as separate patches
> > ---
> >  libsepol/include/sepol/policydb/polcaps.h | 1 +
> >  libsepol/src/polcaps.c                    | 1 +
> >  2 files changed, 2 insertions(+)
> >
> > diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> > index 0835ea21..bbaebf1a 100644
> > --- a/libsepol/include/sepol/policydb/polcaps.h
> > +++ b/libsepol/include/sepol/policydb/polcaps.h
> > @@ -19,6 +19,7 @@ enum {
> >         POLICYDB_CAP_NETLINK_XPERM,
> >         POLICYDB_CAP_NETIF_WILDCARD,
> >         POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
> > +       POLICYDB_CAP_FUNCTIONFS_SECLABEL,
> >         __POLICYDB_CAP_MAX
> >  };
> >  #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
> > diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> > index 7ac0ae7c..83eb6143 100644
> > --- a/libsepol/src/polcaps.c
> > +++ b/libsepol/src/polcaps.c
> > @@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
> >         [POLICYDB_CAP_NETLINK_XPERM]                    = "netlink_xperm",
> >         [POLICYDB_CAP_NETIF_WILDCARD]                   = "netif_wildcard",
> >         [POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]          = "genfs_seclabel_wildcard",
> > +       [POLICYDB_CAP_FUNCTIONFS_SECLABEL]              = "functionfs_seclabel",
> >  };
> >
> >  int sepol_polcap_getnum(const char *name)
> > --
> > 2.51.0.318.gd7df087d1a-goog
> >

On Thu, Aug 28, 2025 at 1:05 PM Neill Kapron <nkapron@google.com> wrote:
>
> This adds the necessary userspace pieces to support the
> functionfs_seclabel policycap which enables per-file labels in
> functionfs and the ability for userspace to apply the labels.
>
> With the policycap disabled, legacy behaviors are maintained and
> per-file labeling is disallowed.
>
> Signed-off-by: Neill Kapron <nkapron@google.com>

Same caveat here - don't rely on this policy capability bit remaining
stable until the kernel patch is merged and de-conflicted with the
other recent patches introducing policy capabilities.
And likewise, again doesn't require re-spinning IMHO but the changelog
below should go after the "---" so it doesn't get included in the
commit message since it becomes irrelevant once the patch is merged.
Will wait to Ack this one until the kernel patch is merged.

>
> Changes since v2:
> - Sending as separate patches
> ---
>  libsepol/include/sepol/policydb/polcaps.h | 1 +
>  libsepol/src/polcaps.c                    | 1 +
>  2 files changed, 2 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> index 0835ea21..bbaebf1a 100644
> --- a/libsepol/include/sepol/policydb/polcaps.h
> +++ b/libsepol/include/sepol/policydb/polcaps.h
> @@ -19,6 +19,7 @@ enum {
>         POLICYDB_CAP_NETLINK_XPERM,
>         POLICYDB_CAP_NETIF_WILDCARD,
>         POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
> +       POLICYDB_CAP_FUNCTIONFS_SECLABEL,
>         __POLICYDB_CAP_MAX
>  };
>  #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
> diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> index 7ac0ae7c..83eb6143 100644
> --- a/libsepol/src/polcaps.c
> +++ b/libsepol/src/polcaps.c
> @@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
>         [POLICYDB_CAP_NETLINK_XPERM]                    = "netlink_xperm",
>         [POLICYDB_CAP_NETIF_WILDCARD]                   = "netif_wildcard",
>         [POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]          = "genfs_seclabel_wildcard",
> +       [POLICYDB_CAP_FUNCTIONFS_SECLABEL]              = "functionfs_seclabel",
>  };
>
>  int sepol_polcap_getnum(const char *name)
> --
> 2.51.0.318.gd7df087d1a-goog
>