This patch resolves a logic issue with selinux_set_mnt_opts when
selinux_policycap_functionfs_seclabel is enabled. The issue was
introduced between v1 and v2 of the original patchset.

Fixes: 1b22454bb5e6 ("selinux: enable per-file labeling for functionfs")
Signed-off-by: Neill Kapron <nkapron@google.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 333bb6cba25e..0e47b4bb8d40 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -745,7 +745,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	    !strcmp(sb->s_type->name, "pstore") ||
 	    !strcmp(sb->s_type->name, "securityfs") ||
 	    (selinux_policycap_functionfs_seclabel() &&
-	     strcmp(sb->s_type->name, "functionfs")))
+	     !strcmp(sb->s_type->name, "functionfs")))
 		sbsec->flags |= SE_SBGENFS;
 
 	if (!strcmp(sb->s_type->name, "sysfs") ||
-- 
2.51.0.355.g5224444f11-goog

On Fri, Sep 5, 2025 at 6:27 PM Neill Kapron <nkapron@google.com> wrote:
>
> This patch resolves a logic issue with selinux_set_mnt_opts when
> selinux_policycap_functionfs_seclabel is enabled. The issue was
> introduced between v1 and v2 of the original patchset.
>
> Fixes: 1b22454bb5e6 ("selinux: enable per-file labeling for functionfs")
> Signed-off-by: Neill Kapron <nkapron@google.com>
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

With the original patch sitting at the top of the selinux/dev branch,
are you okay if I simply fixup the existing patch by adding the
missing '!'?

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 333bb6cba25e..0e47b4bb8d40 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -745,7 +745,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>             !strcmp(sb->s_type->name, "pstore") ||
>             !strcmp(sb->s_type->name, "securityfs") ||
>             (selinux_policycap_functionfs_seclabel() &&
> -            strcmp(sb->s_type->name, "functionfs")))
> +            !strcmp(sb->s_type->name, "functionfs")))
>                 sbsec->flags |= SE_SBGENFS;
>
>         if (!strcmp(sb->s_type->name, "sysfs") ||
> --
> 2.51.0.355.g5224444f11-goog

-- 
paul-moore.com

On Fri, Sep 05, 2025 at 10:13:01PM -0400, Paul Moore wrote:
> 
> With the original patch sitting at the top of the selinux/dev branch,
> are you okay if I simply fixup the existing patch by adding the
> missing '!'?
>

Yes, that is fine by me. I could submit a v4 if you would prefer that.

Sorry for the thrash,
Neill

On Fri, Sep 5, 2025 at 11:15 PM Neill Kapron <nkapron@google.com> wrote:
> On Fri, Sep 05, 2025 at 10:13:01PM -0400, Paul Moore wrote:
> >
> > With the original patch sitting at the top of the selinux/dev branch,
> > are you okay if I simply fixup the existing patch by adding the
> > missing '!'?
> >
>
> Yes, that is fine by me. I could submit a v4 if you would prefer that.

No need for a v4, it's just a single missing '!' and the commit
happens to still be at the top of the patch stack.  In cases like this
it's easier for me to just apply the fix manually.

Fixed the upstream commit and pushed back up to selinux/dev; please
take a look and verify that it looks okay to you.

-- 
paul-moore.com

On Sun, Sep 07, 2025 at 12:58:33PM -0400, Paul Moore wrote:
> 
> No need for a v4, it's just a single missing '!' and the commit
> happens to still be at the top of the patch stack.  In cases like this
> it's easier for me to just apply the fix manually.
> 
> Fixed the upstream commit and pushed back up to selinux/dev; please
> take a look and verify that it looks okay to you.
>

The commit with the fixup looks good to me.

Thanks,
Neill