> default to N for a while until everything's updated but I'd like to
Ok, updated vfs.pidfd with a patch to flip this to n as the default for
now until the LSM learns to deal with this. Should show up in -next
tomorrow.
---
>From 57a220844820980f8e3de1c1cd9d112e6e73da83 Mon Sep 17 00:00:00 2001
From: Christian Brauner <brauner@xxxxxxxxxx>
Date: Fri, 23 Feb 2024 14:17:21 +0100
Subject: [PATCH] pidfs: default to n for now
Moving pidfds from the anonymous inode infrastructure to a separate tiny
in-kernel filesystem similar to sockfs, pipefs, and anon_inodefs causes
Selinux denials and thus various userspace components that make heavy
use of pidfds to fail.
Feb 23 12:09:58 fed1 audit[353]: AVC avc: denied { read write open } for pid=353 comm="systemd-userdbd" path="pidfd:[709]" dev="pidfs" ino=709 scontext=system_u:system_r:systemd_userdbd_t:>
So far pidfds weren't able to be mediated by selinux which was requested
multiple times. Now that pidfs exists it is actually possible to medite
pidfds because they go through the regular open path that calls the
security_file_open() hook. This is a huge advantage.
Until the Selinux policy is fixed we need to default to n to avoid
breaking people. That process is under way in [1] and [2].
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2265630 [1]
Link: https://github.com/fedora-selinux/selinux-policy/pull/2050 [2]
Reported-by: Nathan Chancellor <nathan@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20240222190334.GA412503@dev-arch.thelio-3990X
Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
---
fs/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/Kconfig b/fs/Kconfig
index f3dbd84a0e40..eea2582fd4af 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -177,7 +177,7 @@ source "fs/sysfs/Kconfig"
config FS_PID
bool "Pseudo filesystem for process file descriptors"
depends on 64BIT
- default y
+ default n
help
Pidfs implements advanced features for process file descriptors.
--
2.43.0
