Re: [PATCH] selinux: enable per-file labeling for functionfs

[Stephen Smalley]

On Thu, Aug 21, 2025 at 8:59 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Wed, Aug 20, 2025 at 5:23 PM Neill Kapron <nkapron@xxxxxxxxxx> wrote:
> >
> > This patch adds support for genfscon per-file labeling of functionfs
> > files as well as support for userspace to apply labels after new
> > functionfs endpoints are created.
> >
> > This allows for separate labels and therefore access control on a
> > per-endpoint basis. An example use case would be for the default
> > endpoint EP0 used as a restricted control endpoint, and additional
> > usb endpoints to be used by other more permissive domains.
> >
> > It should be noted that if there are multiple functionfs mounts on a
> > system, genfs file labels will apply to all mounts, and therefore will not
> > likely be as useful as the userspace relabeling portion of this patch -
> > the addition to selinux_is_genfs_special_handling().
> >
> > Signed-off-by: Neill Kapron <nkapron@xxxxxxxxxx>
>
> Did you confirm that functionfs is safe wrt genfscon-based and
> userspace labeling, as per:
> https://github.com/SELinuxProject/selinux-kernel/issues/2
>
> Also as per that longstanding open issue, we'd welcome patches to
> generalize the current hardcoded list of filesystem types to
> instead lookup the filesystem type in the policy to see if it should
> support genfscon and/or userspace labeling.

Also, do we need a new policycap to conditionally enable this new
labeling behavior to avoid any regressions?
See the corresponding checks for cgroup labeling and
https://github.com/SELinuxProject/selinux-kernel/wiki/Getting-Started#adding-a-new-selinux-policy-capability