On Sat, Oct 12, 2019 at 12:16 PM Daniel Colascione <dancol@xxxxxxxxxx> wrote: > > The new secure flag makes userfaultfd use a new "secure" anonymous > file object instead of the default one, letting security modules > supervise userfaultfd use. > > Requiring that users pass a new flag lets us avoid changing the > semantics for existing callers. Is there any good reason not to make this be the default? The only downside I can see is that it would increase the memory usage of userfaultfd(), but that doesn't seem like such a big deal. A lighter-weight alternative would be to have a single inode shared by all userfaultfd instances, which would require a somewhat different internal anon_inode API. In any event, I don't think that "make me visible to SELinux" should be a choice that user code makes. --Andy
