[PATCH v10 3/3] Use secure anon inodes for userfaultfd

Eric Biggers ebiggers at kernel.org
Wed Nov 4 20:36:31 UTC 2020


On Sun, Oct 11, 2020 at 01:29:36AM -0700, Lokesh Gidra wrote:
> From: Daniel Colascione <dancol at google.com>
> 
> This change gives userfaultfd file descriptors a real security
> context, allowing policy to act on them.
> 
> Signed-off-by: Daniel Colascione <dancol at google.com>
> 
> [Remove owner inode from userfaultfd_ctx]
> [Use anon_inode_getfd_secure() instead of anon_inode_getfile_secure()
>  in userfaultfd syscall]
> [Use inode of file in userfaultfd_read() in resolve_userfault_fork()]
> 
> Signed-off-by: Lokesh Gidra <lokeshgidra at google.com>
> ---

I'm not an expert in userfaultfd or SELinux, but I don't see any issues with
this patch, and the comments I made earlier were resolved (except for the patch
title which I just pointed out -- it should have "userfaultfd:" prefix).

So feel free to add:

Reviewed-by: Eric Biggers <ebiggers at google.com>



More information about the Linux-security-module-archive mailing list