From nobody Sun May 24 23:28:59 2026 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 180AE405859 for ; Wed, 20 May 2026 15:01:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779289281; cv=none; b=nicelu4UH5c47CxZErCa8lxYC1WxFN+qs3G8zEVSJbykqIcBjKDjzHlR69RXg+DQ9qVmmYCxZy4L9clcHdaoTdYjEOXLGtUenlNx/WBVWzDyqJULhakSCRRLfkEsteuSk8yfwwWR74QAUap8UeT7YTsQn2Ua+Xpl4r7SjJ3ZqdE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779289281; c=relaxed/simple; bh=e6QSChStcZFzCV03ags1SB1CkD3OZNGzPiQXcprMGC0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=ToqM1TNDHGefztXP7oKUyoQ41mqf5fzGQ2l4ysgXtjTKqJ82sGUvkAanzTXvN4kF/H/j6j/0KbpRS22CnFNeCC4HIC80qAumERQJo/jW0PbF1SFyPmguhIqjSRA15G01mTiV9RtbsU3zcV4BCp4LLhNra/mbtkbqCsLQYJnmAVA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NIHNeRP1; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NIHNeRP1" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2bccb978bd9so35482965ad.0 for ; Wed, 20 May 2026 08:01:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779289276; x=1779894076; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MSMyYinNfzIn455REuPYPM5Y2syByf1Si+RTLPxcmKM=; b=NIHNeRP1ZfaTL9PGxrCGx0yMLcHope1JVN4/dhLR+ge/8f+2vfUSd4AzMjuJC+immZ pcMJmxmpTT8fkfz0ufr/yf1w1MtPS8Xvmx6TWy2fzHNfzT1aQdLwxL3lHfgkPfl6zl4u AWf1c7qZSEcK1clSPve9480cgOILEOfXXfyFVUOxWwU22Te5CVXpaRTvMmCArqjCdCSZ 2xRpaXAB+2ZYKg0u5HvgacbBOvG/zNKHl4Kus6MWJK4EroZmx4AmbggJni1HF67DzY9k X7gTlD+Zq3crTYHkDDNHOpyZCUZij9L03BmADXwiASzhzFtbtSYxsRVixsPDBFK374xX iDaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779289276; x=1779894076; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MSMyYinNfzIn455REuPYPM5Y2syByf1Si+RTLPxcmKM=; b=sxxwp+LFh6CvXfd24R3WqUFFnGF8OHztILSQ5LnWvQ7sQD9LdLEhV2Yq6BrxxX6RJT AMBj71gQMW1pW+s4OVNT5K8t+TGHbSlMjwObN+NGoEk1I+dmana0pucDvMEVq/1yUl43 y6THS8VPNkr6pzwL0dYmQj5F38efPtmDIIX+NIEmbHxMhWV3JTsotiMLbPFwTY2xhKcs 7QCzDrVbBSKNH3TjRJoNxS4pRZc9psNqFq1t0Tn+zlW6lI2/SOuTdwaeSifDbFeMWMD3 JghgSKz8lC4nAxIdH8kOk+tTsgWcYxtQ9c1+5WPSC8KZ4XXjNYRde7YjtKl3U309RHfj RtQw== X-Forwarded-Encrypted: i=1; AFNElJ9whFTZl4dncfco+uC/CI09L0cynpkoKv9o256Oj1MqSTQeFRipz1d0RzDNHlvlfN3pHEGRFmly6KpXpBU=@vger.kernel.org X-Gm-Message-State: AOJu0YzNVQ7KvdEKfhXs3VId7/IVSfz1NL5E9uy9W8SQTo5elXS4JABk j7pBns4JsvqQQFCsucKOQLQtYEmWnbfUaUpe4/GHAEHc5RUedgATTv3v X-Gm-Gg: Acq92OGSkMzBiN7VUDh4wDZmhTiyEb2LAQu/hA4pC3y+ntZWwlMCZw+acBUFj8ATrZf A1Vij6Xga4ySkzgiHmVu78lBz5ZWXP4QIVAizGKCu0I86VXNzOWGtVLvFvASyLLlPAUM4tXoeoU +kfJJjUmQIztZL8/3hCD8aoA5VM1HHVDOArl/QjmIlu16IiamxFWW6JHbjtV+DdmLo03n6i+kY4 rORU7K9yWxIZ+HFgPxkdlCOySGk2f2ZygvIC0SuEBzjTm5FN5BRvBWGW8AQMlpzw+wS+RfSK2G+ qcVM7b12AxLm9AAu/xolq5wn6JFcj5rherQx0812jD1Zi4LVg6sz/1a4/R1+iq3SKHZq79F1/6H Ts1qnXwaJDXGzeQQNl9DUrge32VKUoJHgKBhPzzUdfdFdGzXFvV3IY+nUVlVV3S4EBeryTVmm8u ex6nNwsKPrx6B63qejYnRqISw= X-Received: by 2002:a17:903:2f4e:b0:2bc:977b:846d with SMTP id d9443c01a7336-2bd7e826aa4mr209194255ad.5.1779289275862; Wed, 20 May 2026 08:01:15 -0700 (PDT) Received: from ubuntu2204.. ([171.213.253.58]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5d0fd279sm223536775ad.62.2026.05.20.08.01.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 May 2026 08:01:05 -0700 (PDT) From: liem To: keescook@chromium.org, anton@enomsg.org, ccross@android.com, tony.luck@intel.com Cc: paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, 2541289564@qq.com, =?UTF-8?q?Christian=20G=C3=B6ttsche?= Subject: [PATCH] selinux: enable genfscon labeling for securityfs Date: Wed, 20 May 2026 23:00:54 +0800 Message-Id: <20260520150054.27994-1-liem16213@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Christian G=C3=B6ttsche Add support for genfscon per-file labeling of securityfs files. This allows for separate labels and thereby access control for different files. For example a genfscon statement genfscon securityfs /integrity/ima/policy \ system_u:object_r:ima_policy_t:s0 will set a private label to the IMA policy file and thus allow to control the ability to set the IMA policy. Setting labels directly with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not supported. Signed-off-by: Christian G=C3=B6ttsche [PM: line width fixes in the commit description] Signed-off-by: Paul Moore (cherry picked from commit 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716) --- security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 69143a216a3c..1c0f8209f130 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -741,7 +741,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "binder") || !strcmp(sb->s_type->name, "bpf") || - !strcmp(sb->s_type->name, "pstore")) + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "securityfs")) sbsec->flags |=3D SE_SBGENFS; =20 if (!strcmp(sb->s_type->name, "sysfs") || --=20 2.34.1