* userfaultfd SELinux support?
@ 2019-07-30 16:45 Nick Kralevich
2019-07-30 17:59 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Nick Kralevich @ 2019-07-30 16:45 UTC (permalink / raw)
To: selinux
In glancing over the SELinux code, it appears userfaultfd file
descriptors are not managed by SELinux. Am I perhaps misreading the
kernel code and this is supported? Or is this a known issue? If it's a
known issue, has there been any attempt to add SELinux userfaultfd
file descriptor support?
Thanks,
-- Nick
--
Nick Kralevich | nnk@google.com
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: userfaultfd SELinux support?
2019-07-30 16:45 userfaultfd SELinux support? Nick Kralevich
@ 2019-07-30 17:59 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2019-07-30 17:59 UTC (permalink / raw)
To: Nick Kralevich, selinux, Jeffrey Vander Stoep, Paul Moore
On 7/30/19 12:45 PM, Nick Kralevich wrote:
> In glancing over the SELinux code, it appears userfaultfd file
> descriptors are not managed by SELinux. Am I perhaps misreading the
> kernel code and this is supported? Or is this a known issue? If it's a
> known issue, has there been any attempt to add SELinux userfaultfd
> file descriptor support?
I believe that is correct. commit
cefdca0a86be517bc390fc4541e3674b8e7803b0 introduced a
vm.unprivileged_userfaultfd sysctl that can be set to 0 to restrict use
of userfaultfd to processes with CAP_SYS_PTRACE (hence SELinux
sys_ptrace), but that only restricts the userfaultfd() system call
itself, not subsequent operations on the returned file. Controlling
operations on the userfaultfd files would require addressing the more
general problem of how anonymous inodes are used and handled in the
kernel. Presently they are marked S_PRIVATE and exempted by the security
framework because they have no per-instance state and a single anon
inode is typically shared by many users. Setting another label in the
file security struct and using that instead for permission checks may be
the only option, but that requires the callers of
anon_inode_getfd/anon_inode_getfile to pass in additional information
about the object being represented so we can label it meaningfully.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-30 17:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-30 16:45 userfaultfd SELinux support? Nick Kralevich
2019-07-30 17:59 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).