From 6918a4413decccd2f535e66d12b2e3dee10a74a8 Mon Sep 17 00:00:00 2001
From: Jakob Unterwurzacher
Date: Sat, 19 Apr 2025 19:39:10 +0200
Subject: cli: mount: add -context option

Set the SELinux context. See mount(8) for details.
---
 Documentation/MANPAGE.md | 10 ++++++++++
 cli_args.go              |  5 +++--
 mount.go                 |  3 +++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md
index c7a1c03..64bbaa8 100644
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@@ -208,6 +208,16 @@ Show all invalid filenames:
 
     -badname '*'
 
+#### -context string
+Set the SELinux context. See mount(8) for details.
+
+This option was added for compatibility with xfstests which sets
+this option via `-o context="system_u:object_r:root_t:s0"`.
+
+Only works when mounting as root, otherwise you get this error from fusermount3:
+
+    fusermount3: unknown option 'context="system_u:object_r:root_t:s0"'
+
 #### -ctlsock string
 Create a control socket at the specified location. The socket can be
 used to decrypt and encrypt paths inside the filesystem. When using
diff --git a/cli_args.go b/cli_args.go
index 2e9e796..4101b86 100644
--- a/cli_args.go
+++ b/cli_args.go
@@ -35,9 +35,9 @@ type argContainer struct {
 	// Mount options with opposites
 	dev, nodev, suid, nosuid, exec, noexec, rw, ro, kernel_cache, acl bool
 	masterkey, mountpoint, cipherdir, cpuprofile,
-	memprofile, ko, ctlsock, fsname, force_owner, trace string
+	memprofile, ko, ctlsock, fsname, force_owner, trace, context string
 	// FIDO2
-	fido2 string
+	fido2                string
 	fido2_assert_options []string
 	// -extpass, -badname, -passfile can be passed multiple times
 	extpass, badname, passfile []string
@@ -211,6 +211,7 @@ func parseCliOpts(osArgs []string) (args argContainer) {
 	flagSet.StringVar(&args.force_owner, "force_owner", "", "uid:gid pair to coerce ownership")
 	flagSet.StringVar(&args.trace, "trace", "", "Write execution trace to file")
 	flagSet.StringVar(&args.fido2, "fido2", "", "Protect the masterkey using a FIDO2 token instead of a password")
+	flagSet.StringVar(&args.context, "context", "", "Set SELinux context (see mount(8) for details)")
 	flagSet.StringArrayVar(&args.fido2_assert_options, "fido2-assert-option", nil, "Options to be passed with `fido2-assert -t`")
 
 	// Exclusion options
diff --git a/mount.go b/mount.go
index 0eaa3dd..fe82c0c 100644
--- a/mount.go
+++ b/mount.go
@@ -469,6 +469,9 @@ func initGoFuse(rootNode fs.InodeEmbedder, args *argContainer) *fuse.Server {
 	} else if args.exec {
 		opts["exec"] = ""
 	}
+	if args.context != "" {
+		opts["context"] = args.context
+	}
 	// Add additional mount options (if any) after the stock ones, so the user has
 	// a chance to override them.
 	if args.ko != "" {
-- 
cgit v1.2.3