On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > Hi all, > > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. > > Therefore, we would like to identify as many users of this syscall as > possible before we make that change, so that we can add and test all > the needed rules in one go, minimizing the amount of denials found > after the fact. My understanding is that userfaultfd(2) doesn't have > many users among system services, so it should be possible to catch > most/all of them in advance. > > So if you know that your (or any other) Fedora component uses > userfaultfd(2), please let us know. AFAIK, at least QEMU most likely > uses it, so we'll have that one on our radar, but we'd like to know if > there are any other programs/services we need to cover. CRIU can use userfaultfd to lazy migrate processes from one host to another. It can be also triggered from runc when migrating containers. As far as I know userfaultfd based container migration is not exposed in any container engine above the level of runc. Adrian
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure