[PATCH v15 0/4] SELinux support for anonymous inodes and UFFD

Lokesh Gidra lokeshgidra at google.com
Thu Jan 14 22:50:44 UTC 2021 

On Thu, Jan 14, 2021 at 2:47 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Tue, Jan 12, 2021 at 12:15 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > On Fri, Jan 8, 2021 at 5:22 PM Lokesh Gidra <lokeshgidra at google.com> wrote:
> > >
> > > Userfaultfd in unprivileged contexts could be potentially very
> > > useful. We'd like to harden userfaultfd to make such unprivileged use
> > > less risky. This patch series allows SELinux to manage userfaultfd
> > > file descriptors and in the future, other kinds of
> > > anonymous-inode-based file descriptor.
> >
> > ...
> >
> > > Daniel Colascione (3):
> > >   fs: add LSM-supporting anon-inode interface
> > >   selinux: teach SELinux about anonymous inodes
> > >   userfaultfd: use secure anon inodes for userfaultfd
> > >
> > > Lokesh Gidra (1):
> > >   security: add inode_init_security_anon() LSM hook
> > >
> > >  fs/anon_inodes.c                    | 150 ++++++++++++++++++++--------
> > >  fs/libfs.c                          |   5 -
> > >  fs/userfaultfd.c                    |  19 ++--
> > >  include/linux/anon_inodes.h         |   5 +
> > >  include/linux/lsm_hook_defs.h       |   2 +
> > >  include/linux/lsm_hooks.h           |   9 ++
> > >  include/linux/security.h            |  10 ++
> > >  security/security.c                 |   8 ++
> > >  security/selinux/hooks.c            |  57 +++++++++++
> > >  security/selinux/include/classmap.h |   2 +
> > >  10 files changed, 213 insertions(+), 54 deletions(-)
> >
> > With several rounds of reviews done and the corresponding SELinux test
> > suite looking close to being ready I think it makes sense to merge
> > this via the SELinux tree.  VFS folks, if you have any comments or
> > objections please let me know soon.  If I don't hear anything within
> > the next day or two I'll go ahead and merge this for linux-next.
>
> With no comments over the last two days I merged the patchset into
> selinux/next.  Thanks for all your work and patience on this Lokesh.
>
Thanks so much.

> Also, it looks like you are very close to getting the associated
> SELinux test suite additions merged, please continue to work with
> Ondrej to get those merged soon.
>
Certainly! I'm waiting for his reviews for the latest patch.

> --
> paul moore
> www.paul-moore.com

More information about the Linux-security-module-archive mailing list