On Thu, Aug 20, 2020 at 11:36 AM James Morris <jmorris@xxxxxxxxx> wrote: > > On Fri, 7 Aug 2020, Lokesh Gidra wrote: > > > Userfaultfd in unprivileged contexts could be potentially very > > useful. We'd like to harden userfaultfd to make such unprivileged use > > less risky. This patch series allows SELinux to manage userfaultfd > > file descriptors and in the future, other kinds of > > anonymous-inode-based file descriptor. SELinux policy authors can > > apply policy types to anonymous inodes by providing name-based > > transition rules keyed off the anonymous inode internal name ( > > "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and > > applying policy to the new SIDs thus produced. > > Can you expand more on why this would be useful, e.g. use-cases? > With SELinux managed userfaultfd file descriptors, an administrator can control creation and movement of them. In particular, handling of a userfaultfd descriptor by a different process is essentially a ptrace access into the process, without any of the corresponding security_ptrace_access_check() checks. For privacy, the admin may want to deny such accesses, which is possible with SELinux support. I'll add this use case in the cover letter too in the next version.
