lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e2c4c055ff356b4fe5d49bc9df3fd2ab@paul-moore.com>
Date: Thu, 04 Sep 2025 16:15:52 -0400
From: Paul Moore <paul@...l-moore.com>
To: Neill Kapron <nkapron@...gle.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>
Cc: Neill Kapron <nkapron@...gle.com>, kernel-team@...roid.com, selinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] selinux: enable per-file labeling for functionfs

On Aug 28, 2025 Neill Kapron <nkapron@...gle.com> wrote:
> 
> This patch adds support for genfscon per-file labeling of functionfs
> files as well as support for userspace to apply labels after new
> functionfs endpoints are created.
> 
> This allows for separate labels and therefore access control on a
> per-endpoint basis. An example use case would be for the default
> endpoint EP0 used as a restricted control endpoint, and additional
> usb endpoints to be used by other more permissive domains.
> 
> It should be noted that if there are multiple functionfs mounts on a
> system, genfs file labels will apply to all mounts, and therefore will not
> likely be as useful as the userspace relabeling portion of this patch -
> the addition to selinux_is_genfs_special_handling().
> 
> This patch introduces the functionfs_seclabel policycap to maintain
> existing functionfs genfscon behavior unless explicitly enabled.
> 
> Signed-off-by: Neill Kapron <nkapron@...gle.com>
> 
> Changes since v1:
> - Add functionfs_seclabel policycap
> - Move new functionality to the end of existing lists
> 
> Changes since v2:
> - Sending as separate patches
> 
> Acked-by: Stephen Smalley <stephen.smalley.work@...il.com>
> ---
>  security/selinux/hooks.c                   | 8 ++++++--
>  security/selinux/include/policycap.h       | 1 +
>  security/selinux/include/policycap_names.h | 1 +
>  security/selinux/include/security.h        | 6 ++++++
>  4 files changed, 14 insertions(+), 2 deletions(-)

Merged into selinux/dev, thanks!

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ