From nobody Mon Jun  8 20:41:42 2026
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1707A3B3BF7
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 13:59:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779803978; cv=none;
 b=sj9lu+lEi5SqtYpMVpM0GJfmVyY6e+14Td7PhNUjGjdv2AjBulU5qxnSnJ/KTfaryC8v35DN6Y7jGXT1BreRzdrdPi+nxqXMnjSSTfz308czfLzeYB0RHEYC2TTMhD8mCzRmrIu1s4MkCYYTL02kfgOc9LJ/9+VmdLca/IomQhU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779803978; c=relaxed/simple;
	bh=oi8CEqX0uFevmntGh4NJtsQPvPMPp25lfU15JLRia6A=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type;
 b=JaWkErk01VSydTXt9Y8QXQluReNt/3nJ40xklCFc66sHgVrSmPGlrP6y8u1HJXF9NCD/qdOsYOz7BoZRn3F8Cm+dSvYQdInpg7XT/DfGrkXnrrtAreo1gyOvgpp1Wl33lh9Sr1tuNVzeNEB5iyOxukosbRdHYZX6xS9NBIc3j34=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=qrMTZ3A8; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="qrMTZ3A8"
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-36ac67f489aso1582720a91.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 26 May 2026 06:59:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779803976; x=1780408776;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=XBdZkb2RwHxx+FNg+ugjHpoi6ESbhLEgzYBxG/HNPgA=;
        b=qrMTZ3A8evZF+7BV4IPOIP59QEHmnbm0pAtdDJTCbf0LLp6PYMHq1epHgJyaf/Jcrc
         lm3V+doo+2JNISEwGF4ALhNXKoFzb2T7GOiBsXRoAJV8+s7Hk++zrjv2jw/iP21JvSGr
         Dy0SlgX7VC9oSgYrfObYpmJ1V4W3Poq6vfePE2L7WuBe+dV51YkXp4aJBL9lcwZ/LcXY
         LwC5R+S1wf9uneTBjK61FWiFMHyRWM2r1efOsG9RUlP9MidBc4AfDXLCEfRkOW58K/jz
         u4Jx5pr9iriVcFOBl5Emft9q03ehfsIXEbJP/ZD7TxFHq1ohoXk0/2NVlx4EvrIBiCRG
         xQ5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779803976; x=1780408776;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=XBdZkb2RwHxx+FNg+ugjHpoi6ESbhLEgzYBxG/HNPgA=;
        b=N048afkaAxtz/pbT6ZvErxiUsuBkMYAVAR6rnNTje0Zu/TISHAwvAs220HqFFvek1C
         eoXo25urTZn0fw1reico2z6mrtqEnWXFvcYYRaFl8WK5JCOi/5KFaK+cqD3FjKVHLilG
         GIgy+tg9eC88R/QwtOMixfTSzglJ0z0bsedHGvb0Y1WyiZNcJBc4dltoU07FTwa2IKmT
         fSEx9yoeaA1DNM4c6JO++18BkWbiZKkcPTJC4e3f2Eg6/geS1Cji2LXQiVgxdqNpPnZe
         ydI3cE1btfKlpfoE6+R9BHz/DMPwYfijLyam+JAi37Ct1NUodGYU/RRI5V6HbAqHknDa
         iFTw==
X-Forwarded-Encrypted: i=1;
 AFNElJ//EkAHUyW8u5YPu/cSiL9FH4dH2g5H+ErFQnumbfxigKpOyFamXQkcdS/1wGkBCyy7LUNuGSrnJhGwXZg=@vger.kernel.org
X-Gm-Message-State: AOJu0YyBK61zJJRNXloHT15lpSpb4Lwjs0v3XS9Q/NLA6JSyanyvP8Nf
	g98VZxce2OBvFyf741y2E/dfJSKq87JjnM4MVqiCv8aCAHwAnqxyK5zD
X-Gm-Gg: Acq92OGd0ReRGmJoN+KTHrVe9SJcLw0rimGRaQyepkKc9IjrRzlfB7L9cOj/3qfAlzj
	6O1RbVcqYC14/LoF0EgAxLaA8QKNZPSysDuOY0XfQG/nD+cGb19G1zIlca2NHdoT43I4V3I8ZEn
	RXBGGFhSTH7/r2mWXyY8iI73jJY2vC9nG15RKRdpy+KzXZXZTl6XM3HB4QkY/VCkKfhyNgCavhM
	KGy5D/3GKgDnSwqMTVuMkzQWZfnw67/TYSz5wX4Hh11O3cJ31wfY7Il0Iz4dripNQdtMIlKoapT
	d2kOCfx6wOFJsYlA5hw+m/ny2T8tkahVWLyG1I1joksFHBRBFNMOLp0A7QbEE1gnL8KYiuom7oK
	OloFPeZWujP/e0HwYgr6L/lW+FZ8frT2mL2TVYgCSTAnsZz99s+w73cdJi63ztXr0kTs+9S0SE3
	iaFuyprk9P+RtpHtwWvaCcxsA2JCUBpXrzbQM=
X-Received: by 2002:a17:90b:3eca:b0:368:864:62ad with SMTP id
 98e67ed59e1d1-36a473cf321mr19356488a91.3.1779803976361;
        Tue, 26 May 2026 06:59:36 -0700 (PDT)
Received: from ubuntu2204.. ([171.213.255.129])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36a723dfa2dsm12684682a91.16.2026.05.26.06.59.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 May 2026 06:59:35 -0700 (PDT)
From: Liem <liem16213@gmail.com>
To: stable@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Eric Paris <eparis@parisplace.org>,
	selinux@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	=?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>,
	Liem <liem16213@gmail.com>
Subject: [PATCH 5.15.y] selinux: enable genfscon labeling for securityfs
Date: Tue, 26 May 2026 21:59:21 +0800
Message-Id: <20260526135921.17453-1-liem16213@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Christian G=C3=B6ttsche <cgzones@googlemail.com>

commit 8a764ef1bd43 ("selinux: enable genfscon labeling for securityfs")

Add support for genfscon per-file labeling of securityfs files.
This allows for separate labels and thereby access control for
different files. For example a genfscon statement

    genfscon securityfs /integrity/ima/policy \
	system_u:object_r:ima_policy_t:s0

will set a private label to the IMA policy file and thus allow to
control the ability to set the IMA policy. Setting labels directly
with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not
supported.

Signed-off-by: Christian G=C3=B6ttsche <cgzones@googlemail.com>
[PM: line width fixes in the commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716)
Signed-off-by: Liem <liem16213@gmail.com>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 69143a216a3c..1c0f8209f130 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -741,7 +741,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	    !strcmp(sb->s_type->name, "tracefs") ||
 	    !strcmp(sb->s_type->name, "binder") ||
 	    !strcmp(sb->s_type->name, "bpf") ||
-	    !strcmp(sb->s_type->name, "pstore"))
+	    !strcmp(sb->s_type->name, "pstore") ||
+	    !strcmp(sb->s_type->name, "securityfs"))
 		sbsec->flags |=3D SE_SBGENFS;
=20
 	if (!strcmp(sb->s_type->name, "sysfs") ||
--=20
2.34.1