Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2758868ybp; Sat, 12 Oct 2019 17:13:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqx8gY9rfvXHf4+Efb/z3pnkURHEP0NmUYT6IYE6SdrdLuQgxt2ax/Di38GqzDx14aRlBghJ X-Received: by 2002:aa7:d316:: with SMTP id p22mr21045727edq.77.1570925612954; Sat, 12 Oct 2019 17:13:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570925612; cv=none; d=google.com; s=arc-20160816; b=N5Slwzd6u6LHDL1gRGsIcm51L7b4xzY/gWIsFSkWL4Uv9i95+LEf87Xq1b5xGJCl+b dVIh+Zb9aTT7MF8aqI+t8uHFicSMHlsOUG4hEdh7lO3Tq+zILSRT95J9e6k2rd7sfx05 NGTURwfJ3EqoBUXico1zWjtMlm7ybVLue1rtUQmHN168yoGb7TBz6apg44V3TTFCtR8i c2be03p6eggbN0K7ZX4q+1+jsGI438EHmfOQv7F//7XLa8BbZxYjuiVYl77SVsNOcLqX tYDdIRzcqpqjMFBDbajhV1w1mt+dw/1TOV54yyLVCWGtGCg1lVtomwHqLTWBsDKqaIKB JZTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XEI0RfuwpmYZ28QC0mx//1lBf0qrUdX1GPcBJkQZa9U=; b=eMyCT6RiS9K7dhyq/YlVyT6lqj7aIAvU0ZsdLJ14cLu/aljFjMDuOOGxZUxtQGF678 1+oy4+tfINXJzTD0/Xr30NqeqcdFyVhlCGtNS/JCNRDfw8RMfjD4oCIf2iGjR0ifYoWN x2MEmpx4ndOlo/j0XWpfYdrkEk72PVVibfJRaGP6ZvMpQsgnbP0l716a4dcPtz018N8A 1HobioXoJpelMruUx27VcgikmUSFQMLqIIgGkJeGent2DMfy8to1VrkCYyGCtPZZ2g2t KpHZjlD0PJNlD6AcC9w089OkVxCMvgzLkmD/NADykVU9OCbBuf+5+UTSBXxIILqmKudb alMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rpQ9RwrN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j34si8667791ede.10.2019.10.12.17.12.36; Sat, 12 Oct 2019 17:13:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rpQ9RwrN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728009AbfJMAMR (ORCPT + 99 others); Sat, 12 Oct 2019 20:12:17 -0400 Received: from mail-vs1-f66.google.com ([209.85.217.66]:38559 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727606AbfJMAMR (ORCPT ); Sat, 12 Oct 2019 20:12:17 -0400 Received: by mail-vs1-f66.google.com with SMTP id b123so8626830vsb.5 for ; Sat, 12 Oct 2019 17:12:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XEI0RfuwpmYZ28QC0mx//1lBf0qrUdX1GPcBJkQZa9U=; b=rpQ9RwrNqsQGBr1oAkL/gitja6UMt6gVklBif64wqVq6Tgon/KznC+ZgL6HK3q8QX3 C5rIWw3jGcpmWJiH7tmNg6HVbxIpaTuTDMFQyG49BEqqu7TsMehEeFFy7QEhCVmrk1eu yv7fTAAISHN9cePomO4qg+l1yIKdebEmQSqT3sabeudcw6FlJok25HOFFDhudW/DRsTW Ycmrjd/NNLbIo4Yx7FCFBzN5/E+A70AJMna05Lh3GlMj9sBTbGx9gg+epSY2/S6t9ifo pjCe5FLiRv5/ZCC1POwOAbnKC/3bAoNmBWoEJvzPfHzp7JxnG0jD/SpNptQe45Jb8aCw GEJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XEI0RfuwpmYZ28QC0mx//1lBf0qrUdX1GPcBJkQZa9U=; b=fBtbgNjATIUIo46gf0WqVkcX5hOH1G6HCTBfgmemgI4hl+KvcYTB7BlxZ7Dtx9o2GT yf8fN6+8uNN0SYuyAR7fn02mlifIzntQgFj0T9eLpxz/Ca6DSCO4dxTuXz/PBCcBOMn/ JkROJ0jDCKh4dA4Q9Yf02iupI+tR5cRx0fry3GGnPLKjrBJHC3LJuv9+Ogq9LA+ytYOo UfsnTWAMeQe6kIRvkxb2oICtJowNrP8lqsi8ve0yZFazYGjepXbOgkePYm8Pf/Kg72Ql 1mMbUHfA0KhMCGr5PihZxIjcOaZP5b/mYR+imwyM151J19yx9qcEf/g7yOY7r2oCuCGF YT3w== X-Gm-Message-State: APjAAAWogEEGanjiqicCiSS0mxz/HpGETCOmOu2ZPfYmWb/KF395JZE4 ZnHQeVvqB9PwZJaM28KSK6TQYnyk4IeQmSzyoQiCiw== X-Received: by 2002:a67:db16:: with SMTP id z22mr13135311vsj.171.1570925536096; Sat, 12 Oct 2019 17:12:16 -0700 (PDT) MIME-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-5-dancol@google.com> In-Reply-To: From: Daniel Colascione Date: Sat, 12 Oct 2019 17:11:40 -0700 Message-ID: Subject: Re: [PATCH 4/7] Teach SELinux about a new userfaultfd class To: Andy Lutomirski Cc: Linux API , LKML , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Tim Murray Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 12, 2019 at 4:09 PM Andy Lutomirski wrote: > > On Sat, Oct 12, 2019 at 12:16 PM Daniel Colascione wrote: > > > > Use the secure anonymous inode LSM hook we just added to let SELinux > > policy place restrictions on userfaultfd use. The create operation > > applies to processes creating new instances of these file objects; > > transfer between processes is covered by restrictions on read, write, > > and ioctl access already checked inside selinux_file_receive. > > This is great, and I suspect we'll want it for things like SGX, too. > But the current design seems like it will make it essentially > impossible for SELinux to reference an anon_inode class whose > file_operations are in a module, and moving file_operations out of a > module would be nasty. > > Could this instead be keyed off a new struct anon_inode_class, an > enum, or even just a string? The new LSM hook already receives the string that callers pass to the anon_inode APIs; modules can look at that instead of the fops if they want. The reason to pass both the name and the fops through the hook is to allow LSMs to match using fops comparison (which seems less prone to breakage) when possible and rely on string matching when it isn't.