Since this patch is quite straightforward, I have merged it into the ipe#next branch for testing and will send it to Linus during the next merge window. -Fan On 2024/10/10 10:42, Fan Wu wrote: > Currently, all existing IPE properties evaluate to FALSE for > operations triggered by anonymous memory regions. As a result, > IPE falls back to the policy's default action for such operations. > > In policies where the default action is DENY, this behavior blocks > all anonymous memory operations, rendering binaries that rely on > anonymous memory unusable. > > This commit introduces a new IPE property, 'anonymous_memory', > which evaluates to TRUE when an operation is triggered by an > anonymous memory region. This allows administrators to explicitly > allow or deny operations involving anonymous memory. > > Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> > --- > Documentation/admin-guide/LSM/ipe.rst | 11 +++++++++++ > Documentation/security/ipe.rst | 9 +++++---- > security/ipe/Kconfig | 10 ++++++++++ > security/ipe/audit.c | 2 ++ > security/ipe/eval.c | 26 ++++++++++++++++++++++++++ > security/ipe/policy.h | 2 ++ > security/ipe/policy_parser.c | 4 ++++ > 7 files changed, 60 insertions(+), 4 deletions(-)
