Re: [PATCH v10 3/3] Use secure anon inodes for userfaultfd
From: Eric Biggers
Date: Wed Nov 04 2020 - 15:36:37 EST
On Sun, Oct 11, 2020 at 01:29:36AM -0700, Lokesh Gidra wrote:
> From: Daniel Colascione <dancol@xxxxxxxxxx>
>
> This change gives userfaultfd file descriptors a real security
> context, allowing policy to act on them.
>
> Signed-off-by: Daniel Colascione <dancol@xxxxxxxxxx>
>
> [Remove owner inode from userfaultfd_ctx]
> [Use anon_inode_getfd_secure() instead of anon_inode_getfile_secure()
> in userfaultfd syscall]
> [Use inode of file in userfaultfd_read() in resolve_userfault_fork()]
>
> Signed-off-by: Lokesh Gidra <lokeshgidra@xxxxxxxxxx>
> ---
I'm not an expert in userfaultfd or SELinux, but I don't see any issues with
this patch, and the comments I made earlier were resolved (except for the patch
title which I just pointed out -- it should have "userfaultfd:" prefix).
So feel free to add:
Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>