Hi all, Kernel 5.12 added support to SELinux for controlling access to the userfaultfd interface [1][2] and we'd like to implement this in Fedora's selinux-policy. However, once we add the corresponding class to the policy, all SELinux domains for which we don't add the appropriate rules will have any usage of userfaultfd(2) denied. Therefore, we would like to identify as many users of this syscall as possible before we make that change, so that we can add and test all the needed rules in one go, minimizing the amount of denials found after the fact. My understanding is that userfaultfd(2) doesn't have many users among system services, so it should be possible to catch most/all of them in advance. So if you know that your (or any other) Fedora component uses userfaultfd(2), please let us know. AFAIK, at least QEMU most likely uses it, so we'll have that one on our radar, but we'd like to know if there are any other programs/services we need to cover. Thanks! [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29cd6591ab6fee3125ea5c1bf350f5013bc615e1 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b537900f1598b67bcb8acac20da73c6e26ebbf99 -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
