selinux: enable genfscon labeling for securityfs

Add support for genfscon per-file labeling of securityfs files.
This allows for separate labels and thereby access control for
different files. For example a genfscon statement

    genfscon securityfs /integrity/ima/policy \
	system_u:object_r:ima_policy_t:s0

will set a private label to the IMA policy file and thus allow to
control the ability to set the IMA policy. Setting labels directly
with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not
supported.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: line width fixes in the commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 012e8504ed9e91e15188911c62fa9372acba9bec..549f631e98324a90809202ecde88aaf49d091e40 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
            !strcmp(sb->s_type->name, "tracefs") ||
            !strcmp(sb->s_type->name, "binder") ||
            !strcmp(sb->s_type->name, "bpf") ||
-           !strcmp(sb->s_type->name, "pstore"))
+           !strcmp(sb->s_type->name, "pstore") ||
+           !strcmp(sb->s_type->name, "securityfs"))
                sbsec->flags |= SE_SBGENFS;
 
        if (!strcmp(sb->s_type->name, "sysfs") ||