On Tue, Apr 6, 2021 at 7:33 PM Zbigniew Jędrzejewski-Szmek
<zbyszek(a)in.waw.pl> wrote:
On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote:
> Hi all,
>
> Kernel 5.12 added support to SELinux for controlling access to the
> userfaultfd interface [1][2] and we'd like to implement this in
> Fedora's selinux-policy. However, once we add the corresponding class
> to the policy, all SELinux domains for which we don't add the
> appropriate rules will have any usage of userfaultfd(2) denied.
https://codesearch.debian.net/search?q=userfaultfd(&literal=1
lists a few candidates…
Thanks, that's a nice tool!
Filtering out false-positives, the kernel itself, and user programs
that would normally run under unconfined_t, packages dead in Fedora,
..., the only relevant one seems to be 'criu' (already mentioned in
this thread). Strange that it didn't find QEMU... maybe needs a more
generic search...
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.