On Fri, 23 Feb 2024 at 21:52, Christian Brauner <brauner@xxxxxxxxxx> wrote:
>
> This is selinux. So I think this is a misunderstanding. This isn't
> something we can fix in the kernel.
Sure it is. SELinux just goes by what the kernel tells it anyway.
Presumably this is purely about the fact that the inode in question
*used* to be that magical 'anon_inode_inode' that is shared when you
don't want or need a separate inode allocation. I assume it doesn't
even look at that, it just looks at the 'anon_inode_fs_type' thing (or
maybe at the anon_inode_mnt->mnt_sb that is created by kern_mount in
anon_inode_init?)
IOW, isn't the *only* difference that selinux can actually see just
the inode allocation? It used to be that
inode = anon_inode_getfile();
now it is
inode = new_inode_pseudo(pidfdfs_sb);
and instead of sharing one single inode (like anon_inode_getfile()
does unless you ask for separate inodes), it now shares the dentry
instead (for the same pid).
Would selinux be happy if the inode allocation just used the
anon_inode superblock instead of pidfdfs_sb?
Linus
