[RFC PATCH] security, anon_inodes, kvm: enable security support for anon inodes
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 13 19:47:35 UTC 2020
On 2/13/20 2:41 PM, Stephen Smalley wrote:
> An example of a sample program and policy will follow in a follow-up
> to this patch to demonstrate the effect on userfaultfd and kvm.
Attached are example test programs and policies to demonstrate the
change in behavior before and after this RFC patch for userfaultfd and
kvm. The test policies can be edited to selectively allow specific
permissions for testing various scenarios, but with the defaults in
them, one should see the following behavior:
sudo semodule -i kvm.cil userfaultfd.cil
make kvm userfaultfd
Before:
(no labeling/access control applied by SELinux to userfaultfd files or
to anon inodes created by kvm)
$ ./userfaultfd
api: 170
features: 510
ioctls: 9223372036854775811
read: Resource temporarily unavailable
$ ./kvm
api version: 12
created vm
created vcpu
rax: 0
rbx: 0
rcx: 0
rdx: 1536
rdi: 0
rsi: 0
rsp: 0
rbp: 0
r8: 0
r9: 0
r10: 0
r11: 0
r12: 0
r13: 0
r14: 0
r15: 0
rip: 65520
rflags: 2
created device
checked device attr
After:
(SELinux ioctl whitelisting used to selectively deny access)
./userfaultfd
UFFDIO_API: Permission denied
$ ./kvm
api version: 12
created vm
created vcpu
KVM_GET_REGS: Permission denied
More information about the Linux-security-module-archive
mailing list