--- /dev/null
+From 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Sep 2021 17:39:31 +0200
+Subject: selinux: enable genfscon labeling for securityfs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian Göttsche <cgzones@googlemail.com>
+
+commit 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 upstream.
+
+Add support for genfscon per-file labeling of securityfs files.
+This allows for separate labels and thereby access control for
+different files. For example a genfscon statement
+
+ genfscon securityfs /integrity/ima/policy \
+ system_u:object_r:ima_policy_t:s0
+
+will set a private label to the IMA policy file and thus allow to
+control the ability to set the IMA policy. Setting labels directly
+with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not
+supported.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+[PM: line width fixes in the commit description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Liem <liem16213@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -741,7 +741,8 @@ static int selinux_set_mnt_opts(struct s
+ !strcmp(sb->s_type->name, "tracefs") ||
+ !strcmp(sb->s_type->name, "binder") ||
+ !strcmp(sb->s_type->name, "bpf") ||
+- !strcmp(sb->s_type->name, "pstore"))
++ !strcmp(sb->s_type->name, "pstore") ||
++ !strcmp(sb->s_type->name, "securityfs"))
+ sbsec->flags |= SE_SBGENFS;
+
+ if (!strcmp(sb->s_type->name, "sysfs") ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
