Searched hist:"29 cd6591" (Results 1 – 2 of 2) sorted by relevance
/openbmc/linux/security/selinux/include/ |
H A D | classmap.h | 29cd6591 Fri Jan 08 16:22:22 CST 2021 Daniel Colascione <dancol@google.com> selinux: teach SELinux about anonymous inodes
This change uses the anon_inodes and LSM infrastructure introduced in the previous patches to give SELinux the ability to control anonymous-inode files that are created using the new anon_inode_getfd_secure() function.
A SELinux policy author detects and controls these anonymous inodes by adding a name-based type_transition rule that assigns a new security type to anonymous-inode files created in some domain. The name used for the name-based transition is the name associated with the anonymous inode for file listings --- e.g., "[userfaultfd]" or "[perf_event]".
Example:
type uffd_t; type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]"; allow sysadm_t uffd_t:anon_inode { create };
(The next patch in this series is necessary for making userfaultfd support this new interface. The example above is just for exposition.)
Signed-off-by: Daniel Colascione <dancol@google.com> Signed-off-by: Lokesh Gidra <lokeshgidra@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
|
/openbmc/linux/security/selinux/ |
H A D | hooks.c | 29cd6591 Fri Jan 08 16:22:22 CST 2021 Daniel Colascione <dancol@google.com> selinux: teach SELinux about anonymous inodes
This change uses the anon_inodes and LSM infrastructure introduced in the previous patches to give SELinux the ability to control anonymous-inode files that are created using the new anon_inode_getfd_secure() function.
A SELinux policy author detects and controls these anonymous inodes by adding a name-based type_transition rule that assigns a new security type to anonymous-inode files created in some domain. The name used for the name-based transition is the name associated with the anonymous inode for file listings --- e.g., "[userfaultfd]" or "[perf_event]".
Example:
type uffd_t; type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]"; allow sysadm_t uffd_t:anon_inode { create };
(The next patch in this series is necessary for making userfaultfd support this new interface. The example above is just for exposition.)
Signed-off-by: Daniel Colascione <dancol@google.com> Signed-off-by: Lokesh Gidra <lokeshgidra@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
|