After further testing I found the current approach, i.e. checking the existence of a struct file, does not work with memfd, which does use anonymous memory but also has a file struct in the kernel. There might be other cases that I also need to cover. I will redesign the implementation and send another version in the future. -Fan On 2024/10/24 15:13, Fan Wu wrote: > Since this patch is quite straightforward, I have merged it into the ipe#next branch for testing and will send it to Linus during the next merge window. > > > -Fan > > On 2024/10/10 10:42, Fan Wu wrote: >> Currently, all existing IPE properties evaluate to FALSE for >> operations triggered by anonymous memory regions. As a result, >> IPE falls back to the policy's default action for such operations. >> >> In policies where the default action is DENY, this behavior blocks >> all anonymous memory operations, rendering binaries that rely on >> anonymous memory unusable. >> >> This commit introduces a new IPE property, 'anonymous_memory', >> which evaluates to TRUE when an operation is triggered by an >> anonymous memory region. This allows administrators to explicitly >> allow or deny operations involving anonymous memory. >> >> Signed-off-by: Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> >> --- >> Documentation/admin-guide/LSM/ipe.rst | 11 +++++++++++ >> Documentation/security/ipe.rst | 9 +++++---- >> security/ipe/Kconfig | 10 ++++++++++ >> security/ipe/audit.c | 2 ++ >> security/ipe/eval.c | 26 ++++++++++++++++++++++++++ >> security/ipe/policy.h | 2 ++ >> security/ipe/policy_parser.c | 4 ++++ >> 7 files changed, 60 insertions(+), 4 deletions(-)
