[PATCH] libsepol: add memfd_class capability

[PATCH] libsepol: add memfd_class capability

[Thiébaud Weksteen]

memfd_class was declared upstream in [1]. Add it to the list of known
capabilities.

[1] https://lore.kernel.org/selinux/20250826031824.1227551-1-tweek@google.com/

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
 libsepol/include/sepol/policydb/polcaps.h | 1 +
 libsepol/src/polcaps.c                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index 0835ea21..1f8e8bdb 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -19,6 +19,7 @@ enum {
 	POLICYDB_CAP_NETLINK_XPERM,
 	POLICYDB_CAP_NETIF_WILDCARD,
 	POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
+	POLICYDB_CAP_MEMFD_CLASS,
 	__POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 7ac0ae7c..22f0905f 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
 	[POLICYDB_CAP_NETLINK_XPERM]			= "netlink_xperm",
 	[POLICYDB_CAP_NETIF_WILDCARD]			= "netif_wildcard",
 	[POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]		= "genfs_seclabel_wildcard",
+	[POLICYDB_CAP_MEMFD_CLASS]			= "memfd_class",
 };
 
 int sepol_polcap_getnum(const char *name)
-- 
2.51.0.338.gd7d06c2dae-goog

Re: [PATCH] libsepol: add memfd_class capability

[Stephen Smalley]

On Tue, Sep 2, 2025 at 1:50 AM Thiébaud Weksteen <tweek@google.com> wrote:
>
> memfd_class was declared upstream in [1]. Add it to the list of known
> capabilities.
>
> [1] https://lore.kernel.org/selinux/20250826031824.1227551-1-tweek@google.com/
>
> Signed-off-by: Thiébaud Weksteen <tweek@google.com>

Just a reminder for the other SELinux userspace maintainers that we
need to wait until we see which policy capability ends up being
reserved in the upstream kernel before applying this patch.
And a reminder of the following longstanding open issue that is
relevant, https://github.com/SELinuxProject/selinux/issues/55

> ---
>  libsepol/include/sepol/policydb/polcaps.h | 1 +
>  libsepol/src/polcaps.c                    | 1 +
>  2 files changed, 2 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> index 0835ea21..1f8e8bdb 100644
> --- a/libsepol/include/sepol/policydb/polcaps.h
> +++ b/libsepol/include/sepol/policydb/polcaps.h
> @@ -19,6 +19,7 @@ enum {
>         POLICYDB_CAP_NETLINK_XPERM,
>         POLICYDB_CAP_NETIF_WILDCARD,
>         POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,
> +       POLICYDB_CAP_MEMFD_CLASS,
>         __POLICYDB_CAP_MAX
>  };
>  #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
> diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> index 7ac0ae7c..22f0905f 100644
> --- a/libsepol/src/polcaps.c
> +++ b/libsepol/src/polcaps.c
> @@ -18,6 +18,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
>         [POLICYDB_CAP_NETLINK_XPERM]                    = "netlink_xperm",
>         [POLICYDB_CAP_NETIF_WILDCARD]                   = "netif_wildcard",
>         [POLICYDB_CAP_GENFS_SECLABEL_WILDCARD]          = "genfs_seclabel_wildcard",
> +       [POLICYDB_CAP_MEMFD_CLASS]                      = "memfd_class",
>  };
>
>  int sepol_polcap_getnum(const char *name)
> --
> 2.51.0.338.gd7d06c2dae-goog
>