[PATCH] selinux: enable per-file labeling for functionfs

[PATCH] selinux: enable per-file labeling for functionfs

[Neill Kapron]

This patch adds support for genfscon per-file labeling of functionfs
files as well as support for userspace to apply labels after new
functionfs endpoints are created.

This allows for separate labels and therefore access control on a
per-endpoint basis. An example use case would be for the default
endpoint EP0 used as a restricted control endpoint, and additional
usb endpoints to be used by other more permissive domains.

It should be noted that if there are multiple functionfs mounts on a
system, genfs file labels will apply to all mounts, and therefore will not
likely be as useful as the userspace relabeling portion of this patch -
the addition to selinux_is_genfs_special_handling().

Signed-off-by: Neill Kapron <nkapron@google.com>
---
 security/selinux/hooks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e474cd7398ef..54b82c814b4d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -474,6 +474,7 @@ static int selinux_is_genfs_special_handling(struct super_block *sb)
 		!strcmp(sb->s_type->name, "debugfs") ||
 		!strcmp(sb->s_type->name, "tracefs") ||
 		!strcmp(sb->s_type->name, "rootfs") ||
+		!strcmp(sb->s_type->name, "functionfs") ||
 		(selinux_policycap_cgroupseclabel() &&
 		 (!strcmp(sb->s_type->name, "cgroup") ||
 		  !strcmp(sb->s_type->name, "cgroup2")));
@@ -741,6 +742,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	    !strcmp(sb->s_type->name, "binder") ||
 	    !strcmp(sb->s_type->name, "bpf") ||
 	    !strcmp(sb->s_type->name, "pstore") ||
+	    !strcmp(sb->s_type->name, "functionfs") ||
 	    !strcmp(sb->s_type->name, "securityfs"))
 		sbsec->flags |= SE_SBGENFS;
 
-- 
2.51.0.261.g7ce5a0a67e-goog

Re: [PATCH] selinux: enable per-file labeling for functionfs

[Stephen Smalley]

On Wed, Aug 20, 2025 at 5:23 PM Neill Kapron <nkapron@google.com> wrote:
>
> This patch adds support for genfscon per-file labeling of functionfs
> files as well as support for userspace to apply labels after new
> functionfs endpoints are created.
>
> This allows for separate labels and therefore access control on a
> per-endpoint basis. An example use case would be for the default
> endpoint EP0 used as a restricted control endpoint, and additional
> usb endpoints to be used by other more permissive domains.
>
> It should be noted that if there are multiple functionfs mounts on a
> system, genfs file labels will apply to all mounts, and therefore will not
> likely be as useful as the userspace relabeling portion of this patch -
> the addition to selinux_is_genfs_special_handling().
>
> Signed-off-by: Neill Kapron <nkapron@google.com>

Did you confirm that functionfs is safe wrt genfscon-based and
userspace labeling, as per:
https://github.com/SELinuxProject/selinux-kernel/issues/2

Also as per that longstanding open issue, we'd welcome patches to
generalize the current hardcoded list of filesystem types to
instead lookup the filesystem type in the policy to see if it should
support genfscon and/or userspace labeling.

> ---
>  security/selinux/hooks.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e474cd7398ef..54b82c814b4d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -474,6 +474,7 @@ static int selinux_is_genfs_special_handling(struct super_block *sb)
>                 !strcmp(sb->s_type->name, "debugfs") ||
>                 !strcmp(sb->s_type->name, "tracefs") ||
>                 !strcmp(sb->s_type->name, "rootfs") ||
> +               !strcmp(sb->s_type->name, "functionfs") ||
>                 (selinux_policycap_cgroupseclabel() &&
>                  (!strcmp(sb->s_type->name, "cgroup") ||
>                   !strcmp(sb->s_type->name, "cgroup2")));
> @@ -741,6 +742,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>             !strcmp(sb->s_type->name, "binder") ||
>             !strcmp(sb->s_type->name, "bpf") ||
>             !strcmp(sb->s_type->name, "pstore") ||
> +           !strcmp(sb->s_type->name, "functionfs") ||
>             !strcmp(sb->s_type->name, "securityfs"))
>                 sbsec->flags |= SE_SBGENFS;
>
> --
> 2.51.0.261.g7ce5a0a67e-goog
>

Re: [PATCH] selinux: enable per-file labeling for functionfs

[Stephen Smalley]

On Thu, Aug 21, 2025 at 8:59 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Aug 20, 2025 at 5:23 PM Neill Kapron <nkapron@google.com> wrote:
> >
> > This patch adds support for genfscon per-file labeling of functionfs
> > files as well as support for userspace to apply labels after new
> > functionfs endpoints are created.
> >
> > This allows for separate labels and therefore access control on a
> > per-endpoint basis. An example use case would be for the default
> > endpoint EP0 used as a restricted control endpoint, and additional
> > usb endpoints to be used by other more permissive domains.
> >
> > It should be noted that if there are multiple functionfs mounts on a
> > system, genfs file labels will apply to all mounts, and therefore will not
> > likely be as useful as the userspace relabeling portion of this patch -
> > the addition to selinux_is_genfs_special_handling().
> >
> > Signed-off-by: Neill Kapron <nkapron@google.com>
>
> Did you confirm that functionfs is safe wrt genfscon-based and
> userspace labeling, as per:
> https://github.com/SELinuxProject/selinux-kernel/issues/2
>
> Also as per that longstanding open issue, we'd welcome patches to
> generalize the current hardcoded list of filesystem types to
> instead lookup the filesystem type in the policy to see if it should
> support genfscon and/or userspace labeling.

Also, do we need a new policycap to conditionally enable this new
labeling behavior to avoid any regressions?
See the corresponding checks for cgroup labeling and
https://github.com/SELinuxProject/selinux-kernel/wiki/Getting-Started#adding-a-new-selinux-policy-capability

Re: [PATCH] selinux: enable per-file labeling for functionfs

[Neill Kapron]

On Thu, Aug 21, 2025 at 09:03:49AM -0400, Stephen Smalley wrote:
> On Thu, Aug 21, 2025 at 8:59 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > Did you confirm that functionfs is safe wrt genfscon-based and
> > userspace labeling, as per:
> > https://github.com/SELinuxProject/selinux-kernel/issues/2

Yes, I believe this is safe - FunctionFS is a filesystem which
exclusively exists in memory. The kernel creates an EP0 file to which
userspace writes usb endpoint descriptors to, and the kernel
sequentially creates the endpoint files for each descriptor.
.create/.link/.rename methods are not supported for the root directory
or any of the file inodes. So userspace can control the number of files
created in this directory, but does not have control of their naming or
anything else.

In Android, we further restrict permissions to the directory and control
endpoint EP0 to specific system processes. Our goal with this patch is
to maintain this restriction, while providing more permissive labels to
the endpoints created by the system process.

> >
> > Also as per that longstanding open issue, we'd welcome patches to
> > generalize the current hardcoded list of filesystem types to
> > instead lookup the filesystem type in the policy to see if it should
> > support genfscon and/or userspace labeling.
>

Unfortunately, that is outside my expertise at this time and I don't
have a solid understanding of how this would be accomplished.

> Also, do we need a new policycap to conditionally enable this new
> labeling behavior to avoid any regressions?
> See the corresponding checks for cgroup labeling and
> https://github.com/SELinuxProject/selinux-kernel/wiki/Getting-Started#adding-a-new-selinux-policy-capability

Thanks, I will send a V2 which adds a new policycap for this.