* [PATCH] object_classes_permissions.md: Add anon_inode class
@ 2021-03-09 16:46 Richard Haines
2021-04-08 1:35 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2021-03-09 16:46 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Add anon_inode class and permissions with example rules. The kernel
currently only supports userfaultfd(2) services.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/object_classes_permissions.md | 28 ++++++++++++++++++++++++++++
src/type_statements.md | 4 ++++
2 files changed, 32 insertions(+)
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index fa16024..bbc703d 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -20,6 +20,7 @@
- [*blk_file*](#blk_file)
- [*sock_file*](#sock_file)
- [*fifo_file*](#fifo_file)
+ - [*anon_inode*](#anon_inode)
- [*fd*](#fd)
- [Network Object Classes](#network-object-classes)
- [*node*](#node)
@@ -953,6 +954,33 @@ Named pipes
**Permissions** - Inherit 25
[**Common File Permissions**](#common-file-permissions):
+- *append*, *audit_access*, *create*, *execute*, *execmod*, *getattr*, *ioctl*,
+ *link*, *lock*, *map*, *mounton*, *open*, *quotaon*, *read*, *relabelfrom*,
+ *relabelto*, *rename*, *setattr*, *unlink*, *watch*, *watch_mount*,
+ *watch_sb*, *watch_with_perm*, *watch_reads*, *write*
+
+### *anon_inode*
+
+Control anonymous-inode files via the kernel *anon_inode_getfd_secure()*
+function. Policy controls anonymous inodes by adding a name-based
+[***type_transition***](type_statements.md#type_transition) rule that assigns
+a *type* to anonymous-inode files created in a domain. The *name* used for the
+name-based transition is the name associated with the anonymous inode for file
+listings, for example:
+
+```
+type uffd_t;
+type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
+allow sysadm_t uffd_t:anon_inode { create };
+```
+
+Currently only ***userfaultfd**(2)* makes use of this service (from kernel 5.12)
+as described in the patch series
+<https://lore.kernel.org/selinux/20210108222223.952458-1-lokeshgidra@google.com/>
+
+**Permissions** - Inherit 25
+[**Common File Permissions**](#common-file-permissions):
+
- *append*, *audit_access*, *create*, *execute*, *execmod*, *getattr*, *ioctl*,
*link*, *lock*, *map*, *mounton*, *open*, *quotaon*, *read*, *relabelfrom*,
*relabelto*, *rename*, *setattr*, *unlink*, *watch*, *watch_mount*,
diff --git a/src/type_statements.md b/src/type_statements.md
index 0d7f137..572c540 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -471,6 +471,10 @@ however, this is only appropriate for the file classes:
type_transition source_type target_type : class default_type object_name;
```
+Kernel 5.12 introduced the 'name transition' rule for anonymous inodes that is
+described with an example in the
+[**anon_inode Object Class**](object_classes_permissions.md#anon_inode) section.
+
**Where:**
*type_transition*
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] object_classes_permissions.md: Add anon_inode class
2021-03-09 16:46 [PATCH] object_classes_permissions.md: Add anon_inode class Richard Haines
@ 2021-04-08 1:35 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2021-04-08 1:35 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Tue, Mar 9, 2021 at 11:46 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> Add anon_inode class and permissions with example rules. The kernel
> currently only supports userfaultfd(2) services.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> src/object_classes_permissions.md | 28 ++++++++++++++++++++++++++++
> src/type_statements.md | 4 ++++
> 2 files changed, 32 insertions(+)
My apologies that it took a month to merge this, but once again thank
you for the update!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-08 1:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-09 16:46 [PATCH] object_classes_permissions.md: Add anon_inode class Richard Haines
2021-04-08 1:35 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.