Add support for genfscon per-file labeling of securityfs files. This allows
for separate labels and thereby access control for different files.
For example a genfscon statement
genfscon securityfs /integrity/ima/policy system_u:object_r:ima_policy_t:s0
will set a private label to the IMA policy file and thus allow to
control the ability to set the IMA policy.
Setting labels directly with setxattr(2), e.g. by chcon(1) or
setfiles(8), is still not supported.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
v2:
- improve commit description
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 012e8504ed9e..549f631e9832 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
!strcmp(sb->s_type->name, "tracefs") ||
!strcmp(sb->s_type->name, "binder") ||
!strcmp(sb->s_type->name, "bpf") ||
- !strcmp(sb->s_type->name, "pstore"))
+ !strcmp(sb->s_type->name, "pstore") ||
+ !strcmp(sb->s_type->name, "securityfs"))
sbsec->flags |= SE_SBGENFS;
if (!strcmp(sb->s_type->name, "sysfs") ||
--
2.33.0
