From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Colascione Subject: Re: [PATCH 4/7] Teach SELinux about a new userfaultfd class Date: Sat, 12 Oct 2019 17:11:40 -0700 Message-ID: References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-5-dancol@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Andy Lutomirski Cc: Linux API , LKML , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Tim Murray List-Id: linux-api@vger.kernel.org On Sat, Oct 12, 2019 at 4:09 PM Andy Lutomirski wrote: > > On Sat, Oct 12, 2019 at 12:16 PM Daniel Colascione wrote: > > > > Use the secure anonymous inode LSM hook we just added to let SELinux > > policy place restrictions on userfaultfd use. The create operation > > applies to processes creating new instances of these file objects; > > transfer between processes is covered by restrictions on read, write, > > and ioctl access already checked inside selinux_file_receive. > > This is great, and I suspect we'll want it for things like SGX, too. > But the current design seems like it will make it essentially > impossible for SELinux to reference an anon_inode class whose > file_operations are in a module, and moving file_operations out of a > module would be nasty. > > Could this instead be keyed off a new struct anon_inode_class, an > enum, or even just a string? The new LSM hook already receives the string that callers pass to the anon_inode APIs; modules can look at that instead of the fops if they want. The reason to pass both the name and the fops through the hook is to allow LSMs to match using fops comparison (which seems less prone to breakage) when possible and rely on string matching when it isn't.