From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2026 12:06:45 +0000 (+0530)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bfa6847ad6f3ae1da04f28573924fbb08b80779d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	selinux-enable-genfscon-labeling-for-securityfs.patch
---

diff --git a/queue-5.15/selinux-enable-genfscon-labeling-for-securityfs.patch b/queue-5.15/selinux-enable-genfscon-labeling-for-securityfs.patch
new file mode 100644
index 0000000000..b32e4f300a
--- /dev/null
+++ b/queue-5.15/selinux-enable-genfscon-labeling-for-securityfs.patch
@@ -0,0 +1,45 @@
+From 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Sep 2021 17:39:31 +0200
+Subject: selinux: enable genfscon labeling for securityfs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian Göttsche <cgzones@googlemail.com>
+
+commit 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 upstream.
+
+Add support for genfscon per-file labeling of securityfs files.
+This allows for separate labels and thereby access control for
+different files. For example a genfscon statement
+
+    genfscon securityfs /integrity/ima/policy \
+	system_u:object_r:ima_policy_t:s0
+
+will set a private label to the IMA policy file and thus allow to
+control the ability to set the IMA policy. Setting labels directly
+with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not
+supported.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+[PM: line width fixes in the commit description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Liem <liem16213@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -741,7 +741,8 @@ static int selinux_set_mnt_opts(struct s
+ 	    !strcmp(sb->s_type->name, "tracefs") ||
+ 	    !strcmp(sb->s_type->name, "binder") ||
+ 	    !strcmp(sb->s_type->name, "bpf") ||
+-	    !strcmp(sb->s_type->name, "pstore"))
++	    !strcmp(sb->s_type->name, "pstore") ||
++	    !strcmp(sb->s_type->name, "securityfs"))
+ 		sbsec->flags |= SE_SBGENFS;
+ 
+ 	if (!strcmp(sb->s_type->name, "sysfs") ||
diff --git a/queue-5.15/series b/queue-5.15/series
index d3f636dfc0..bd8868b268 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -398,3 +398,4 @@ net-ipv6-ioam6-prevent-schema-length-wraparound-in-trace-fill.patch
 ksmbd-compare-macs-in-constant-time.patch
 nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch
 alsa-hda-hdmi-add-quirk-for-tuxedo-ibs14g6.patch
+selinux-enable-genfscon-labeling-for-securityfs.patch