On 7/30/19 12:45 PM, Nick Kralevich wrote:
In glancing over the SELinux code, it appears userfaultfd file descriptors are not managed by SELinux. Am I perhaps misreading the kernel code and this is supported? Or is this a known issue? If it's a known issue, has there been any attempt to add SELinux userfaultfd file descriptor support?
I believe that is correct. commit cefdca0a86be517bc390fc4541e3674b8e7803b0 introduced a vm.unprivileged_userfaultfd sysctl that can be set to 0 to restrict use of userfaultfd to processes with CAP_SYS_PTRACE (hence SELinux sys_ptrace), but that only restricts the userfaultfd() system call itself, not subsequent operations on the returned file. Controlling operations on the userfaultfd files would require addressing the more general problem of how anonymous inodes are used and handled in the kernel. Presently they are marked S_PRIVATE and exempted by the security framework because they have no per-instance state and a single anon inode is typically shared by many users. Setting another label in the file security struct and using that instead for permission checks may be the only option, but that requires the callers of anon_inode_getfd/anon_inode_getfile to pass in additional information about the object being represented so we can label it meaningfully.
