Hi, These patches add support to receive and set file security context at the time of file creation. This is one of the components needed to support SELinux on virtiofs.
I have posted kernel patches here just now. https://lore.kernel.org/linux-fsdevel/20210924192442.916927-1-vgo...@redhat.com/T/#m971f9001dd622b3f7a96a65899e3f146d2185841 These patches will allow users to configure virtiofsd in multiple modes to set security context. A. Guest and host selinux policies can work with each other. - virtiofsd will use /proc/thread-self/attr/fscreate knob to set security context before file creation. B. Remap guest selinux security xattr to something else say, trusted.virtiofs.security.selinux. - Give CAP_SYS_ADMIN to virtiofsd. - "-o -o xattrmap=:map:security.selinux:trusted.virtiofsd.:" C. If no SELinux on host. - Give CAP_SYS_ADMIN to virtiofsd. I have tested mode A and B but yet to test mode C. I think either mode B or mode C will be most commonly used mode when guest does need SELinux support in virtiofs. With these patches, I am able to boot a guest VM with rootfs on virtiofs and with SELinux enabled in guest. Please review. Thanks Vivek Vivek Goyal (5): fuse: Header file changes for FUSE_SECURITY_CTX fuse_lowlevel.c: Add capability to parse security context virtiofsd: Move core file creation code in separate function virtiofsd: Create new file with fscreate set virtiofsd: Create new file using O_TMPFILE and set security context include/standard-headers/linux/fuse.h | 14 +- tools/virtiofsd/fuse_common.h | 5 + tools/virtiofsd/fuse_i.h | 7 + tools/virtiofsd/fuse_lowlevel.c | 74 ++++++ tools/virtiofsd/passthrough_ll.c | 366 ++++++++++++++++++++++++-- 5 files changed, 436 insertions(+), 30 deletions(-) -- 2.31.1
