object_classes_permissions.md: Add anon_inode class

Commit Message

Richard Haines March 9, 2021, 4:46 p.m. UTC

Add anon_inode class and permissions with example rules. The kernel
currently only supports userfaultfd(2) services.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/object_classes_permissions.md | 28 ++++++++++++++++++++++++++++
 src/type_statements.md            |  4 ++++
 2 files changed, 32 insertions(+)

Comments

Paul Moore April 8, 2021, 1:35 a.m. UTC | #1

On Tue, Mar 9, 2021 at 11:46 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> Add anon_inode class and permissions with example rules. The kernel
> currently only supports userfaultfd(2) services.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  src/object_classes_permissions.md | 28 ++++++++++++++++++++++++++++
>  src/type_statements.md            |  4 ++++
>  2 files changed, 32 insertions(+)

My apologies that it took a month to merge this, but once again thank
you for the update!

Patch

diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index fa16024..bbc703d 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -20,6 +20,7 @@ 
     - [*blk_file*](#blk_file)
     - [*sock_file*](#sock_file)
     - [*fifo_file*](#fifo_file)
+    - [*anon_inode*](#anon_inode)
     - [*fd*](#fd)
   - [Network Object Classes](#network-object-classes)
     - [*node*](#node)
@@ -953,6 +954,33 @@  Named pipes
 **Permissions** - Inherit 25
 [**Common File Permissions**](#common-file-permissions):
 
+- *append*, *audit_access*, *create*, *execute*, *execmod*, *getattr*, *ioctl*,
+  *link*, *lock*, *map*, *mounton*, *open*, *quotaon*, *read*, *relabelfrom*,
+  *relabelto*, *rename*, *setattr*, *unlink*, *watch*, *watch_mount*,
+  *watch_sb*, *watch_with_perm*, *watch_reads*, *write*
+
+### *anon_inode*
+
+Control anonymous-inode files via the kernel *anon_inode_getfd_secure()*
+function. Policy controls anonymous inodes by adding a name-based
+[***type_transition***](type_statements.md#type_transition) rule that assigns
+a *type* to anonymous-inode files created in a domain. The *name* used for the
+name-based transition is the name associated with the anonymous inode for file
+listings, for example:
+
+```
+type uffd_t;
+type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
+allow sysadm_t uffd_t:anon_inode { create };
+```
+
+Currently only ***userfaultfd**(2)* makes use of this service (from kernel 5.12)
+as described in the patch series
+<https://lore.kernel.org/selinux/20210108222223.952458-1-lokeshgidra@google.com/>
+
+**Permissions** - Inherit 25
+[**Common File Permissions**](#common-file-permissions):
+
 - *append*, *audit_access*, *create*, *execute*, *execmod*, *getattr*, *ioctl*,
   *link*, *lock*, *map*, *mounton*, *open*, *quotaon*, *read*, *relabelfrom*,
   *relabelto*, *rename*, *setattr*, *unlink*, *watch*, *watch_mount*,
diff --git a/src/type_statements.md b/src/type_statements.md
index 0d7f137..572c540 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -471,6 +471,10 @@  however, this is only appropriate for the file classes:
 type_transition source_type target_type : class default_type object_name;
 ```
 
+Kernel 5.12 introduced the 'name transition' rule for anonymous inodes that is
+described with an example in the
+[**anon_inode Object Class**](object_classes_permissions.md#anon_inode) section.
+
 **Where:**
 
 *type_transition*