Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4759805rdb; Tue, 12 Dec 2023 08:34:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IEdampqtg3AmBzV3fXcLZOUbeH1zLcFL37p/1XTZLPYxm2sPCzEXtgAIAqXGC8K5YPXF0u9 X-Received: by 2002:a17:902:900b:b0:1d0:6ffe:a28 with SMTP id a11-20020a170902900b00b001d06ffe0a28mr5918101plp.134.1702398840346; Tue, 12 Dec 2023 08:34:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702398840; cv=none; d=google.com; s=arc-20160816; b=GfFmnbYLYd1rvn1Nh9/p9sn0gN23uDUerjQi9Qfh59vKNF+jeYX5FCt7WA8y/Ezy0B HoeehENdPFkqjDOapmYOf7iRGANqY61GKirSs0K2UsMcbozANb2ZM3D1cgugoZwjD+y3 DtdkunlyDq5SDa55n9RIymomFpga/Y4wUKuDorSLDCvTahBf2g4qhSr23zNfYClwuuL1 JiuRXC3bWPL182o3SBnGO/s4JTrQMvanp+Y46J15GhUyQ+MJmYS4BZCZ2TK3nUCLM1+L mwm9DE990YWTV21fK4v8RiQCkHLdZ0Y3p2fvR3rTdjA2qNeGSJavQgklx4Pzu4K4QSOY QuKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from:cc :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=PfzYYzAu0GcZMpn3lDDRxLehdkHTWolcz4K7BoULOl4=; fh=Wzh1alIH5AzBFGYJWhzcJGQvgcr0jFGUawAVrAhkR+Q=; b=McLETCWwD+RbUa6FTBsX6df6sRc1WXVyX5TsHEg5jdEWX47U7p5HCFH6ZpF0yPBJ1m Db2mshx0cbXlps/lVMvUYQvwOktM+GNIMfvt3Y7hJdYtG64INgFC6X0qjykoAil7wVce jDD8v4Dd1phkjK6Q17eoPgR/jmBfSMI2LQbNlBrkLPCyOyuJnHnnXWfAjIlmCettNd8e qrrFcVul6jUQlcoUOJBJiSHhXT7j2tz5w2KmgLTLfBFaPCAc4gkPNe4JrQ1oKFhvNwLk nQI9MfRf+3pkmI/x3i6CqMFKjxP5J1NbmBjQdlNc6h9U9CoslwdB0R8bjPCMEuFTMR6+ Rlnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=o1YuTYWd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id i13-20020a17090332cd00b001d345c8bbedsi392986plr.353.2023.12.12.08.33.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 08:34:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=o1YuTYWd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 5C402801BADD; Tue, 12 Dec 2023 08:33:56 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232565AbjLLQdl (ORCPT + 99 others); Tue, 12 Dec 2023 11:33:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232642AbjLLQdk (ORCPT ); Tue, 12 Dec 2023 11:33:40 -0500 Received: from sonic302-27.consmr.mail.ne1.yahoo.com (sonic302-27.consmr.mail.ne1.yahoo.com [66.163.186.153]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53FC7DB for ; Tue, 12 Dec 2023 08:33:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702398823; bh=PfzYYzAu0GcZMpn3lDDRxLehdkHTWolcz4K7BoULOl4=; h=Date:Subject:To:References:Cc:From:In-Reply-To:From:Subject:Reply-To; b=o1YuTYWdhdWnSH6lizKbRTdg4R27G/gYEA2oH22tu5Y6PpQSsccf0NUaukKbbXqDKbFjVF0jsn7j6Fxx3yFSzC0UrUTzaZqfhjsrypI4otctLR2CD5D10yIAHM1KJi9I95QLAqvTEaGB8xoy8/LyTdlktobjPWz+Y+uLeldVq7V3n32ac4UOt768VPvEd1GvOV3LvyI+qBBLkf+9/ush3FVheOylP6B1OefgNhqnLQePvcE6JdYuyw5Ibu8pvcg3npt0+HcnYcxlU8vsFsRs3s8aAX0LxFbM2uyEJPRd1xbwE4TScivJX3R6oGJTj1dJbQVhXlPkrRqen617WQQAKQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1702398823; bh=VZeZmwXcz2w/s7Y+30wYdaRolvHMVp35LANf9fVni3M=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=J/96CdG8gwbfKnLhAMgXtV8HFQLNq0Tp/kX9sREySuKlFny+2KCIqj/tGSvuTrKdn7a2s8F8HaSXfkIgQPWRWkHKMpMfqwIwrnIZFfVathPFcxBFqFpp+jx4biADTH5FwtDAVXOyHRgoQUhuvgHc1v+aABuYcDYL5cHtTDbZWsBbl76x5DqSsi0l8GNI8aDVXjVMsUPGFF37QK9IPJiHTk8Jcn0op6DFoezLTVvMNaYuH1ZOvqxU1bzIsXbS0sDYnv88SErAtf7UXq92rENm7CAtro/X22Nx1ULlSyNMyziACONNbG/7XX+CBBx67bguHWHClk/pACnPGaLi3F+Vkw== X-YMail-OSG: GQfemjMVM1lHU9Sya1oZ3eUxSPN_FzZr.rp_yr0greAvxGJjDQ5Dv6ZHDaIwECD PCLxSJx0o3aih.mO64hT0GxtAGUTqVX.gA6J0mD5R4JqVdbZ_VkUaFmvW8Hvuxxjf8frs80dRS9o FGl2XanQZ1M4MVqqZhFKYjfOxBFEQbiny_DtwOQ.Dp0zt2mGHDp54OVsI0bPAFrHZppzLO63D.2V 5al6F9Nyplv7ZTFWcuVHWqXioVdDz77FgVsvdMSVrLuLF8PSEC2mw6HMvLU6K8n7PiArorX3oNVn YyLgrQ14WepCFsVKP_djYyUTIcd8INmpW9cbwFABQIHOXIDXpv_WirvP4vWAWU2haTSo.29hIcws Zvlkq52qaSpe6xRPm0O1.tXgRw9Pu7cCP8qKmae7x3n4SKUwV2o0HHRTzBcJvtFX6l6xFdMC4mv3 4LPkZ97B8mGrq7QSvsRDqmY4d.akKr20HW_ySUxK_Q9A.CpYlrlEY1eU2nHbCEJAbpowHd9nwVtN h00yaErl7_PzpcBeg7PK.YPAlE0sCfxj5ONuvQ56aUmytMEeUCeQYzOj_vQhxjIwwCTAtowy7FdS S1Q7OoAUb04r7KyMPPvLlS53tpX8onk1zK8o7CCCfRvQxta.d6L8I.PM4nyeHzgAkn5SLK9Ysy0O Sww4dYALRC7P1CIuCwHHdmidXBxbiAaB2XJuSB.Jz7m8WHCEVtEPxNnHXkF18QkDY_s_68e.VUsm N.7Z1vTg2oU7cSGN.ji.nckeTZa0jWkTpQ0VJTWSyuLQzT2z4zy0bR87RVgj26NRBRgWAyEpm8er LmzqL8VVD.Czg.n29Wb299Wty.F8yqfHjeWLouVtuFSNzoXnhqJ.bBE5BbBMFfS__AV3PDAE6ZPq i3CPgWjmVXc_wXuuCy_qIDH7lJzN7yKNLigbAx474lMdf7WjNdfUiW9hk9nSZwP.P7Naw3iZKn4h LEGmB1qVeb1kIii9BbygPLJsWp8GKV.istO8lNYRPV3eJbL7eiY2j3eJ3mlM25OjcKN93D1FZseK ektgZOPEKbr1V12pvSDFgXRF_f7DPb_O7hH5HwdtOQFbgYx_UKdfAQH7dz36kAm.NT9xPzCUjS0F cMIMEv45nxAZkPCvAsiif3Tq6h6txgr9zczDpg7ipj2Hs5RRtlyJ_Nf5naJ5W4cLGOUnQjqKO2Mb cJxjUgHpb6hAGPETx.UDAwb6x3UMQq_pwnGDcmR3Cc5wJEAtyPmtmoTATOAIbh_6OhDPGzW3Kfuo E2p0aqm.DewyQGnEPCUpc1jhqQtGik7CXsUiNKqMGEfNkqssPlnxiUu5R7B04etTv3TPlILyns.s 4X6mFVd75a5Tzeq5H_vS0CFe37qUWDNWROkb70ZDC1AiuJknCvqsiQ8ypXkdGVSM7UfoAQfw5qgt NmN40_ppASoLAiRj7iyJHoxkW6_fulJCEXW3fuQgHplG2K2J13y5tEgA2czh1iyOuFC5MecqG3jY iGczR0LFMqufeTOwlN8EnsyYZJ.AVURasgt93MtphtOer1R7KTgWsnNjEX_CfA5cZ_1nyEQZG9fE E8IhaUpRUONY8xfwU9tEOAyAWSVdk3j0r0s9H.9936nvarTsYOwoB0Paq2tKQ2YATN6QC4Aq7NDj MBzK8ktqh7Xz3gWVhHfaACpRaV07_0WMt1qhcSMZNxzQpQsgi7e1bffg6VkpjQAM9vi5MndOtveX JQQ3jyAQ2wj1LmJNYU7CHzqhVwUGffPAkZZnc8FukMEWGKwOHX4xRu0sxchY8OeQKZvKjEIwQBge 3Age0HPPiTZ4H57BBYGjfIxPSz0TiXuzHviDI09CDc.JE17eoLsEmgCCqx.RmkshmvFS7vIn_fpi sDXuDLs9lcNJ36CIBIayBGSQm4JkxCEsRyD8.72y3P9lD6cRqk9CXIoB9FXL7xKdX.Qucrd9muEU vD1Xo7O0tqJ_umnHTzZkvlQL7bQnO.QCcPFjHWqklmD8..Vj.Z1iKyldCJr2wiNcJqIx7qKSSKT2 vtoXNRTC3CRk0wWMXp_fJwV5yChwdYGvvvg8LivztaYtdZ3zF0D9hYu8h8KgG_U2rQUIDNoSjXXK XE7rqj2w1OrEEqLvOm9.LfxX86t9QWQKDCZc_u0vEhVqDmLINmKa3RB9eSyYouGxIpdJFxxuD2SI r_QlX8nGCzrnQ4WwG8vjFUm8Z5zyuIg3qnPWZ1KyA7frAoXPFBJ3Z.hS1jsu2BwJM8BEv1eWiYrc 0eCL7A6lE6MsgZOCUHTB28mLivPbAWTd8zQZzjkfR8xAqa18JmoaxLgC1tkCXwdAjf2XS5tk8KBm GtCnOiGlX8cE4RLQ1yosj X-Sonic-MF: X-Sonic-ID: 14f5b0a1-e886-4b05-b9e8-67de0727e527 Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Tue, 12 Dec 2023 16:33:43 +0000 Received: by hermes--production-gq1-64499dfdcc-pxg8l (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 74da5172b15303642e3db225338ccf69; Tue, 12 Dec 2023 16:33:41 +0000 (UTC) Message-ID: Date: Tue, 12 Dec 2023 08:33:39 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type Content-Language: en-US To: Maxime Coquelin , mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> <20231212131712.1816324-5-maxime.coquelin@redhat.com> Cc: Casey Schaufler From: Casey Schaufler In-Reply-To: <20231212131712.1816324-5-maxime.coquelin@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailer: WebService/1.1.21952 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 12 Dec 2023 08:33:56 -0800 (PST) On 12/12/2023 5:17 AM, Maxime Coquelin wrote: > This patch introduces a LSM hook for devices creation, > destruction (ioctl()) and opening (open()) operations, > checking the application is allowed to perform these > operations for the Virtio device type. My earlier comments on a vduse specific LSM hook still hold. I would much prefer to see a device permissions hook(s) that are useful for devices in general. Not just vduse devices. I know that there are already some very special purpose LSM hooks, but the experience with maintaining them is why I don't want more of them. > > Signed-off-by: Maxime Coquelin > --- > MAINTAINERS | 1 + > drivers/vdpa/vdpa_user/vduse_dev.c | 13 ++++++++++++ > include/linux/lsm_hook_defs.h | 2 ++ > include/linux/security.h | 6 ++++++ > include/linux/vduse.h | 14 +++++++++++++ > security/security.c | 15 ++++++++++++++ > security/selinux/hooks.c | 32 +++++++++++++++++++++++++++++ > security/selinux/include/classmap.h | 2 ++ > 8 files changed, 85 insertions(+) > create mode 100644 include/linux/vduse.h > > diff --git a/MAINTAINERS b/MAINTAINERS > index a0fb0df07b43..4e83b14358d2 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -23040,6 +23040,7 @@ F: drivers/net/virtio_net.c > F: drivers/vdpa/ > F: drivers/virtio/ > F: include/linux/vdpa.h > +F: include/linux/vduse.h > F: include/linux/virtio*.h > F: include/linux/vringh.h > F: include/uapi/linux/virtio_*.h > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index fa62825be378..59ab7eb62e20 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -8,6 +8,7 @@ > * > */ > > +#include "linux/security.h" > #include > #include > #include > @@ -30,6 +31,7 @@ > #include > #include > #include > +#include > > #include "iova_domain.h" > > @@ -1442,6 +1444,10 @@ static int vduse_dev_open(struct inode *inode, struct file *file) > if (dev->connected) > goto unlock; > > + ret = -EPERM; > + if (security_vduse_perm_check(VDUSE_PERM_OPEN, dev->device_id)) > + goto unlock; > + > ret = 0; > dev->connected = true; > file->private_data = dev; > @@ -1664,6 +1670,9 @@ static int vduse_destroy_dev(char *name) > if (!dev) > return -EINVAL; > > + if (security_vduse_perm_check(VDUSE_PERM_DESTROY, dev->device_id)) > + return -EPERM; > + > mutex_lock(&dev->lock); > if (dev->vdev || dev->connected) { > mutex_unlock(&dev->lock); > @@ -1828,6 +1837,10 @@ static int vduse_create_dev(struct vduse_dev_config *config, > int ret; > struct vduse_dev *dev; > > + ret = -EPERM; > + if (security_vduse_perm_check(VDUSE_PERM_CREATE, config->device_id)) > + goto err; > + > ret = -EEXIST; > if (vduse_find_dev(config->name)) > goto err; > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index ff217a5ce552..3930ab2ae974 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -419,3 +419,5 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) > LSM_HOOK(int, 0, uring_sqpoll, void) > LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) > #endif /* CONFIG_IO_URING */ > + > +LSM_HOOK(int, 0, vduse_perm_check, enum vduse_op_perm op_perm, u32 device_id) > diff --git a/include/linux/security.h b/include/linux/security.h > index 1d1df326c881..2a2054172394 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -32,6 +32,7 @@ > #include > #include > #include > +#include > > struct linux_binprm; > struct cred; > @@ -484,6 +485,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); > int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); > int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); > int security_locked_down(enum lockdown_reason what); > +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id); > #else /* CONFIG_SECURITY */ > > static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) > @@ -1395,6 +1397,10 @@ static inline int security_locked_down(enum lockdown_reason what) > { > return 0; > } > +static inline int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) > +{ > + return 0; > +} > #endif /* CONFIG_SECURITY */ > > #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) > diff --git a/include/linux/vduse.h b/include/linux/vduse.h > new file mode 100644 > index 000000000000..7a20dcc43997 > --- /dev/null > +++ b/include/linux/vduse.h > @@ -0,0 +1,14 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#ifndef _LINUX_VDUSE_H > +#define _LINUX_VDUSE_H > + > +/* > + * The permission required for a VDUSE device operation. > + */ > +enum vduse_op_perm { > + VDUSE_PERM_CREATE, > + VDUSE_PERM_DESTROY, > + VDUSE_PERM_OPEN, > +}; > + > +#endif /* _LINUX_VDUSE_H */ > diff --git a/security/security.c b/security/security.c > index dcb3e7014f9b..150abf85f97d 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -5337,3 +5337,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) > return call_int_hook(uring_cmd, 0, ioucmd); > } > #endif /* CONFIG_IO_URING */ > + > +/** > + * security_vduse_perm_check() - Check if a VDUSE device type operation is allowed > + * @op_perm: the operation type > + * @device_id: the Virtio device ID > + * > + * Check whether the Virtio device creation is allowed > + * > + * Return: Returns 0 if permission is granted. > + */ > +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) > +{ > + return call_int_hook(vduse_perm_check, 0, op_perm, device_id); > +} > +EXPORT_SYMBOL(security_vduse_perm_check); > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index feda711c6b7b..18845e4f682f 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -21,6 +21,8 @@ > * Copyright (C) 2016 Mellanox Technologies > */ > > +#include "av_permissions.h" > +#include "linux/vduse.h" > #include > #include > #include > @@ -92,6 +94,7 @@ > #include > #include > #include > +#include > > #include "avc.h" > #include "objsec.h" > @@ -6950,6 +6953,34 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) > } > #endif /* CONFIG_IO_URING */ > > +static int selinux_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) > +{ > + u32 requested_op, requested_type, sid = current_sid(); > + int ret; > + > + if (op_perm == VDUSE_PERM_CREATE) > + requested_op = VDUSE__CREATE; > + else if (op_perm == VDUSE__DESTROY) > + requested_op = VDUSE__DESTROY; > + else if (op_perm == VDUSE_PERM_OPEN) > + requested_op = VDUSE__OPEN; > + else > + return -EINVAL; > + > + ret = avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_op, NULL); > + if (ret) > + return ret; > + > + if (device_id == VIRTIO_ID_NET) > + requested_type = VDUSE__NET; > + else if (device_id == VIRTIO_ID_BLOCK) > + requested_type = VDUSE__BLOCK; > + else > + return -EINVAL; > + > + return avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_type, NULL); > +} > + > /* > * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: > * 1. any hooks that don't belong to (2.) or (3.) below, > @@ -7243,6 +7274,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > #ifdef CONFIG_PERF_EVENTS > LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), > #endif > + LSM_HOOK_INIT(vduse_perm_check, selinux_vduse_perm_check), > }; > > static __init int selinux_init(void) > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > index a3c380775d41..b0a358cbac1c 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -256,6 +256,8 @@ const struct security_class_mapping secclass_map[] = { > { "override_creds", "sqpoll", "cmd", NULL } }, > { "user_namespace", > { "create", NULL } }, > + { "vduse", > + { "create", "destroy", "open", "net", "block", NULL} }, > { NULL } > }; >