Re: [PATCH v6 0/3] SELinux support for anonymous inodes and UFFD

From: James Morris
Date: Thu Aug 20 2020 - 14:36:48 EST

Next message: Jim Mattson: "Re: FSGSBASE causing panic on 5.9-rc1"
Previous message: Tom Lendacky: "Re: FSGSBASE causing panic on 5.9-rc1"
Next in thread: Lokesh Gidra: "Re: [PATCH v6 0/3] SELinux support for anonymous inodes and UFFD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 7 Aug 2020, Lokesh Gidra wrote:

> Userfaultfd in unprivileged contexts could be potentially very
> useful. We'd like to harden userfaultfd to make such unprivileged use
> less risky. This patch series allows SELinux to manage userfaultfd
> file descriptors and in the future, other kinds of
> anonymous-inode-based file descriptor. SELinux policy authors can
> apply policy types to anonymous inodes by providing name-based
> transition rules keyed off the anonymous inode internal name (
> "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and
> applying policy to the new SIDs thus produced.

Can you expand more on why this would be useful, e.g. use-cases?

--
James Morris
<jmorris@xxxxxxxxx>

Next message: Jim Mattson: "Re: FSGSBASE causing panic on 5.9-rc1"
Previous message: Tom Lendacky: "Re: FSGSBASE causing panic on 5.9-rc1"
Next in thread: Lokesh Gidra: "Re: [PATCH v6 0/3] SELinux support for anonymous inodes and UFFD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]