[PATCH v7 03/42] selinux: support multiple selinuxfs instances
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: 2025-08-14 13:27:07
Also in:
selinux
Subsystem:
selinux security module, the rest · Maintainers:
Paul Moore, Stephen Smalley, Linus Torvalds
Support multiple selinuxfs instances, one per selinux namespace. The expected usage would be to unshare the SELinux namespace and the mount namespace, and then mount a new selinuxfs instance. The new instance would then provide an interface for viewing and manipulating the state of the new SELinux namespace and would not affect the parent namespace in any manner. This change by itself should have no effect on SELinux behavior or APIs (userspace or LSM). Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- security/selinux/selinuxfs.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 221149e95dea..d07d585fa401 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c@@ -2151,9 +2151,33 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc) return ret; } +static int selinuxfs_compare(struct super_block *sb, struct fs_context *fc) +{ + struct selinux_fs_info *fsi = sb->s_fs_info; + + return (current_selinux_state == fsi->state); +} + static int sel_get_tree(struct fs_context *fc) { - return get_tree_single(fc, sel_fill_super); + struct super_block *sb; + int err; + + sb = sget_fc(fc, selinuxfs_compare, set_anon_super_fc); + if (IS_ERR(sb)) + return PTR_ERR(sb); + + if (!sb->s_root) { + err = sel_fill_super(sb, fc); + if (err) { + deactivate_locked_super(sb); + return err; + } + sb->s_flags |= SB_ACTIVE; + } + + fc->root = dget(sb->s_root); + return 0; } static const struct fs_context_operations sel_context_ops = {
--
2.50.1