On Tue, Apr 6, 2021 at 7:33 PM Zbigniew Jędrzejewski-Szmek zbyszek@in.waw.pl wrote:

On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote:

...

Hi all,

Kernel 5.12 added support to SELinux for controlling access to the userfaultfd interface [1][2] and we'd like to implement this in Fedora's selinux-policy. However, once we add the corresponding class to the policy, all SELinux domains for which we don't add the appropriate rules will have any usage of userfaultfd(2) denied.

https://codesearch.debian.net/search?q=userfaultfd(&literal=1 lists a few candidates…

Thanks, that's a nice tool!

Filtering out false-positives, the kernel itself, and user programs that would normally run under unconfined_t, packages dead in Fedora, ..., the only relevant one seems to be 'criu' (already mentioned in this thread). Strange that it didn't find QEMU... maybe needs a more generic search...

-- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.