| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <118df484-7971-54e7-2a62-a07afc3c627d@tycho.nsa.gov>
Date: Fri, 27 Mar 2020 09:41:55 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Daniel Colascione <dancol@...gle.com>, timmurray@...gle.com,
selinux@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, viro@...iv.linux.org.uk, paul@...l-moore.com,
nnk@...gle.com, lokeshgidra@...gle.com, jmorris@...ei.org
Subject: Re: [PATCH v4 2/3] Teach SELinux about anonymous inodes
On 3/26/20 4:06 PM, Daniel Colascione wrote:
> This change uses the anon_inodes and LSM infrastructure introduced in
> the previous patch to give SELinux the ability to control
> anonymous-inode files that are created using the new _secure()
> anon_inodes functions.
>
> A SELinux policy author detects and controls these anonymous inodes by
> adding a name-based type_transition rule that assigns a new security
> type to anonymous-inode files created in some domain. The name used
> for the name-based transition is the name associated with the
> anonymous inode for file listings --- e.g., "[userfaultfd]" or
> "[perf_event]".
>
> Example:
>
> type uffd_t;
> type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
> allow sysadm_t uffd_t:anon_inode { create };
>
> (The next patch in this series is necessary for making userfaultfd
> support this new interface. The example above is just
> for exposition.)
>
> Signed-off-by: Daniel Colascione <dancol@...gle.com>
Acked-by: Stephen Smalley <sds@...ho.nsa.gov>
Powered by blists - more mailing lists