Re: [PATCH v3] selinux: enable per-file labeling for functionfs

[Paul Moore]

On Aug 28, 2025 Neill Kapron <nkapron@xxxxxxxxxx> wrote:
> 
> This patch adds support for genfscon per-file labeling of functionfs
> files as well as support for userspace to apply labels after new
> functionfs endpoints are created.
> 
> This allows for separate labels and therefore access control on a
> per-endpoint basis. An example use case would be for the default
> endpoint EP0 used as a restricted control endpoint, and additional
> usb endpoints to be used by other more permissive domains.
> 
> It should be noted that if there are multiple functionfs mounts on a
> system, genfs file labels will apply to all mounts, and therefore will not
> likely be as useful as the userspace relabeling portion of this patch -
> the addition to selinux_is_genfs_special_handling().
> 
> This patch introduces the functionfs_seclabel policycap to maintain
> existing functionfs genfscon behavior unless explicitly enabled.
> 
> Signed-off-by: Neill Kapron <nkapron@xxxxxxxxxx>
> 
> Changes since v1:
> - Add functionfs_seclabel policycap
> - Move new functionality to the end of existing lists
> 
> Changes since v2:
> - Sending as separate patches
> 
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
>  security/selinux/hooks.c                   | 8 ++++++--
>  security/selinux/include/policycap.h       | 1 +
>  security/selinux/include/policycap_names.h | 1 +
>  security/selinux/include/security.h        | 6 ++++++
>  4 files changed, 14 insertions(+), 2 deletions(-)

Merged into selinux/dev, thanks!

--
paul-moore.com