selinux: enable genfscon labeling for securityfs

Add support for genfscon per-file labeling of securityfs files. This allows for separate labels and thereby access control for different files. For example a genfscon statement genfscon securityfs /integrity/ima/policy \ system_u:object_r:ima_policy_t:s0 will set a private label to the IMA policy file and thus allow to control the ability to set the IMA policy. Setting labels directly with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not supported. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: line width fixes in the commit description] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Christian Göttsche 2021-09-28 17:39:31 +0200
committer: Paul Moore 2021-09-28 18:49:03 -0400
commit: 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 (patch)
tree: 22a465b0c1c93c2bb0a552e08526630d00d3232b /security
parent: d9d8c93938c40e12de91650d04fceb99d92dad8a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 012e8504ed9e..549f631e9832 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	    !strcmp(sb->s_type->name, "tracefs") ||
 	    !strcmp(sb->s_type->name, "binder") ||
 	    !strcmp(sb->s_type->name, "bpf") ||
-	    !strcmp(sb->s_type->name, "pstore"))
+	    !strcmp(sb->s_type->name, "pstore") ||
+	    !strcmp(sb->s_type->name, "securityfs"))
 		sbsec->flags |= SE_SBGENFS;
 
 	if (!strcmp(sb->s_type->name, "sysfs") ||
author	Christian Göttsche	2021-09-28 17:39:31 +0200
committer	Paul Moore	2021-09-28 18:49:03 -0400
commit	8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 (patch)
tree	22a465b0c1c93c2bb0a552e08526630d00d3232b /security
parent	d9d8c93938c40e12de91650d04fceb99d92dad8a (diff)