This series aims to correct a design flaw in the original anon_inode SELinux support that would make it hard to write policies for anonymous inodes once more types of them are supported (currently only userfaultfd inodes are). A more detailed rationale is provided in the second patch. The first patch extends the anon_inode_getfd_secure() function to accept an additional numeric identifier that represents the type of the anonymous inode being created, which is passed to the LSMs via security_inode_init_security_anon(). The second patch then introduces a new SELinux policy capability that allow policies to opt-in to have a separate class used for each type of anon inode. That means that the "old way" will still I wish I had realized the practical consequences earlier, while the patches were still under review, but it only started to sink in after the authors themselves later raised the issue in an off-list conversation. Even then, I still hoped it wouldn't be that bad, but the more I thought about how to apply this in an actual policy, the more I realized how much pain it would be to work with the current design, so I decided to propose these changes. I hope this will be an acceptable solution. A selinux-testsuite patch that adapts the userfaultfd test to work also with the new policy capability enabled will follow. Ondrej Mosnacek (2): LSM,anon_inodes: explicitly distinguish anon inode types selinux: add capability to map anon inode types to separate classes fs/anon_inodes.c | 42 +++++++++++++--------- fs/userfaultfd.c | 6 ++-- include/linux/anon_inodes.h | 4 ++- include/linux/lsm_hook_defs.h | 3 +- include/linux/security.h | 19 ++++++++++ security/security.c | 3 +- security/selinux/hooks.c | 28 ++++++++++++++- security/selinux/include/classmap.h | 2 ++ security/selinux/include/policycap.h | 1 + security/selinux/include/policycap_names.h | 3 +- security/selinux/include/security.h | 7 ++++ 11 files changed, 95 insertions(+), 23 deletions(-) -- 2.30.2
