[PATCH v6 0/3] SELinux support for anonymous inodes and UFFD
James Morris
jmorris at namei.org
Thu Aug 20 18:35:38 UTC 2020
On Fri, 7 Aug 2020, Lokesh Gidra wrote:
> Userfaultfd in unprivileged contexts could be potentially very
> useful. We'd like to harden userfaultfd to make such unprivileged use
> less risky. This patch series allows SELinux to manage userfaultfd
> file descriptors and in the future, other kinds of
> anonymous-inode-based file descriptor. SELinux policy authors can
> apply policy types to anonymous inodes by providing name-based
> transition rules keyed off the anonymous inode internal name (
> "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and
> applying policy to the new SIDs thus produced.
Can you expand more on why this would be useful, e.g. use-cases?
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list