Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2715868ybp; Sat, 12 Oct 2019 16:12:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqwOdkhUYB+/WNickEm5LhSxlXNThJaS7HEcT2r9v9VOSsdn7Ici0DFUcZyC6l2HZVmDy2S3 X-Received: by 2002:a17:906:1655:: with SMTP id n21mr21341667ejd.110.1570921941588; Sat, 12 Oct 2019 16:12:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570921941; cv=none; d=google.com; s=arc-20160816; b=mgIP8rvHnBbwTW9GxeQxVmq6CSmSDL5xERBk20wxPF56s6QKg33ilUPSVNdmqPptpd ok8/0wi7DwG6L6hcsgXBLHo+dqj6UsN+jvF8MuSOTzKUh+R1QuzB5fyrp1n3xafwdtSW Op6lF0sdoGUdpv5ewd30JZxX3cP9U3XTY4joIyXhUQPAabx/+WDcAhua0A/5rTu6s/Pe 39Ijd1x44FIckiHAzkQLWFNQiLeCVa3k/FyFX6ekm2iUAvVT07higorMSZl7NsvPu8wj maBz5iuFRsO5nfuA0/Ie0vh1OxIurtEW6YBAwSljv8wSPyGPUicYSJk51OcnyU4q93z1 h/tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=GAvUJfnQ/ekmzshI/omTNt5MUxVTCo8T6Nqip48DUX4=; b=ON1kvSsSWaxgQJimgguM/eTsABJ1fAWaRuwfpLEB0FOxW4joxbFWoUzZ7ZAMIt8Mv/ ZG3EyGq9iBfbUDsGF1Ri5Cg7WQvTZ8w4Zh1xDc89GLoC7bD9HLHpIVx1+y+5l3N7ke0C tGYEcfdR4vQlLdkc0i0o3vBqTk55zBtEIxezqlQmpONzoaKQXF/VKXZhGLocAXyG+eEQ T69fO66392aB0yBdIORGmOTsdCRgWiHJeu2+Jqy8+6XvYjyzYt+eekNGecLl9huOP+yy iELonQH02ML/FtFVLt5eOsuLmMBkYFKpvKhmAU2cK/vwZrxWZUMLwEvB5/RaATLv4yWE Pzbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uidnwcpy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s7si9557797edm.74.2019.10.12.16.11.45; Sat, 12 Oct 2019 16:12:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uidnwcpy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727538AbfJLXJJ (ORCPT + 99 others); Sat, 12 Oct 2019 19:09:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:48832 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727262AbfJLXJI (ORCPT ); Sat, 12 Oct 2019 19:09:08 -0400 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B5A4821929 for ; Sat, 12 Oct 2019 23:09:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570921748; bh=GAvUJfnQ/ekmzshI/omTNt5MUxVTCo8T6Nqip48DUX4=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=uidnwcpykkXAHe3lXfsPP/IMzZrFCiakkJxsK+1yCs0icQJcvPo0Yb+lnCrzIUIqA jEyDIB0AMMS6HoZQwJbZ44+MkTMg4cP+/1ftRdYtJ0UQMFccv83s+JTkQqyBHmfC2q bPDx6UMkijTnUr0HFcmdTDae2xv7+a8THzC74X4E= Received: by mail-wr1-f54.google.com with SMTP id v8so15564099wrt.2 for ; Sat, 12 Oct 2019 16:09:07 -0700 (PDT) X-Gm-Message-State: APjAAAXDrzM2ZvjDILvUqofy1nDbJIVy1dkkGSwvieVDzBBIGZ87keFb U7guvpwjPkPnKOgZBo+qiiBQms9hwce1Bf3sR3ZBTw== X-Received: by 2002:a5d:6949:: with SMTP id r9mr16124264wrw.106.1570921746082; Sat, 12 Oct 2019 16:09:06 -0700 (PDT) MIME-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-5-dancol@google.com> In-Reply-To: <20191012191602.45649-5-dancol@google.com> From: Andy Lutomirski Date: Sat, 12 Oct 2019 16:08:54 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 4/7] Teach SELinux about a new userfaultfd class To: Daniel Colascione Cc: Linux API , LKML , lokeshgidra@google.com, Nick Kralevich , nosh@google.com, Tim Murray Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 12, 2019 at 12:16 PM Daniel Colascione wrote: > > Use the secure anonymous inode LSM hook we just added to let SELinux > policy place restrictions on userfaultfd use. The create operation > applies to processes creating new instances of these file objects; > transfer between processes is covered by restrictions on read, write, > and ioctl access already checked inside selinux_file_receive. This is great, and I suspect we'll want it for things like SGX, too. But the current design seems like it will make it essentially impossible for SELinux to reference an anon_inode class whose file_operations are in a module, and moving file_operations out of a module would be nasty. Could this instead be keyed off a new struct anon_inode_class, an enum, or even just a string? --Andy