selinux: allow per-file labeling for cgroupfs

This patch allows genfscon per-file labeling for cgroupfs. For instance, this allows to label the "release_agent" file within each cgroup mount and limit writes to it. Signed-off-by: Antonio Murdaca <amurdaca@redhat.com> [PM: subject line and merge tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Antonio Murdaca <runcom@redhat.com> 2017-02-09 17:02:42 +0100
committer: Paul Moore <paul@paul-moore.com> 2017-08-22 15:38:18 -0400
commit: 901ef845fa2469c211ce3b1e955d9e7245ab5d50 (patch)
tree: b09c7e1bb1705c4db7dd5468b19fb7f243aa37b6
parent: 5d72801538eb59cfd9ca25d00aa439cfbc02ac9a (diff)
download: op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.zip
op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2bd7b82..f803fdc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -815,7 +815,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	if (!strcmp(sb->s_type->name, "debugfs") ||
 	    !strcmp(sb->s_type->name, "tracefs") ||
 	    !strcmp(sb->s_type->name, "sysfs") ||
-	    !strcmp(sb->s_type->name, "pstore"))
+	    !strcmp(sb->s_type->name, "pstore") ||
+	    !strcmp(sb->s_type->name, "cgroup") ||
+	    !strcmp(sb->s_type->name, "cgroup2"))
 		sbsec->flags |= SE_SBGENFS;
 
 	if (!sbsec->behavior) {
author	Antonio Murdaca <runcom@redhat.com>	2017-02-09 17:02:42 +0100
committer	Paul Moore <paul@paul-moore.com>	2017-08-22 15:38:18 -0400
commit	901ef845fa2469c211ce3b1e955d9e7245ab5d50 (patch)
tree	b09c7e1bb1705c4db7dd5468b19fb7f243aa37b6
parent	5d72801538eb59cfd9ca25d00aa439cfbc02ac9a (diff)
download	op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.zip op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.tar.gz