SELinux Archive on lore.kernel.org
 help / color / Atom feed
* userfaultfd SELinux support?
@ 2019-07-30 16:45 Nick Kralevich
  2019-07-30 17:59 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Nick Kralevich @ 2019-07-30 16:45 UTC (permalink / raw)
  To: selinux

In glancing over the SELinux code, it appears userfaultfd file
descriptors are not managed by SELinux. Am I perhaps misreading the
kernel code and this is supported? Or is this a known issue? If it's a
known issue, has there been any attempt to add SELinux userfaultfd
file descriptor support?

Thanks,
-- Nick

-- 
Nick Kralevich | nnk@google.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: userfaultfd SELinux support?
  2019-07-30 16:45 userfaultfd SELinux support? Nick Kralevich
@ 2019-07-30 17:59 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2019-07-30 17:59 UTC (permalink / raw)
  To: Nick Kralevich, selinux, Jeffrey Vander Stoep, Paul Moore

On 7/30/19 12:45 PM, Nick Kralevich wrote:
> In glancing over the SELinux code, it appears userfaultfd file
> descriptors are not managed by SELinux. Am I perhaps misreading the
> kernel code and this is supported? Or is this a known issue? If it's a
> known issue, has there been any attempt to add SELinux userfaultfd
> file descriptor support?

I believe that is correct. commit 
cefdca0a86be517bc390fc4541e3674b8e7803b0 introduced a 
vm.unprivileged_userfaultfd sysctl that can be set to 0 to restrict use 
of userfaultfd to processes with CAP_SYS_PTRACE (hence SELinux 
sys_ptrace), but that only restricts the userfaultfd() system call 
itself, not subsequent operations on the returned file.  Controlling 
operations on the userfaultfd files would require addressing the more 
general problem of how anonymous inodes are used and handled in the 
kernel. Presently they are marked S_PRIVATE and exempted by the security 
framework because they have no per-instance state and a single anon 
inode is typically shared by many users.  Setting another label in the 
file security struct and using that instead for permission checks may be 
the only option, but that requires the callers of 
anon_inode_getfd/anon_inode_getfile to pass in additional information 
about the object being represented so we can label it meaningfully.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-30 16:45 userfaultfd SELinux support? Nick Kralevich
2019-07-30 17:59 ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox