RFE: improve handling of anonymous inodes

Question

RFE: improve handling of anonymous inodes

pcmoore opened this issue 5 years ago · 3 comments

From @stephensmalley on the SELinux mailing list:

... the more general problem of how anonymous inodes are used and handled in the kernel. Presently they are marked S_PRIVATE and exempted by the security framework because they have no per-instance state and a single anon inode is typically shared by many users. Setting another label in the file security struct and using that instead for permission checks may be the only option, but that requires the callers of anon_inode_getfd/anon_inode_getfile to pass in additional information about the object being represented so we can label it meaningfully.

Answer 1 · 2020-02-13T20:02:42.000Z

Two possible approaches for addressing this issue have been posted to selinux list in
https://lore.kernel.org/selinux/20200211225547.235083-1-dancol@google.com/ and
https://lore.kernel.org/selinux/20200213194157.5877-1-sds@tycho.nsa.gov/

Answer 2 · 2020-06-11T12:47:39.000Z

Applied to the linux-security tree as per https://lore.kernel.org/selinux/alpine.LRH.2.21.2006041354381.1812@namei.org/

Answer 3 · 2021-10-07T20:10:56.000Z

Fixed by e7e832c