From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D06D3CD4851 for ; Tue, 12 May 2026 09:12:11 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 314F410E9DE; Tue, 12 May 2026 09:12:11 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="PjAD+XWy"; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4833F10E9DE for ; Tue, 12 May 2026 09:12:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778577129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SVfUeYXGpNmZ1twceB5woBKhF/qG1sQRttmYc6xeMV0=; b=PjAD+XWyDd8AFdKiMnFpyxhQRdIRoj/GKXKIXMs/OqfDoryNJNWNRcKT9SFRa5wQuh0QuU WUQ0Yc2istR694hYId9r8GD9HGyD8UOT1bInHuQrNEijX65Id0V90gNvvjjgYJs2xW9Kwz lPaQ+CgBmBV6Wlw14937FW7OFKwmobs= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-329-SICwtheoO2uek4nzuZ0TuQ-1; Tue, 12 May 2026 05:12:05 -0400 X-MC-Unique: SICwtheoO2uek4nzuZ0TuQ-1 X-Mimecast-MFC-AGG-ID: SICwtheoO2uek4nzuZ0TuQ_1778577122 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 886961800578; Tue, 12 May 2026 09:12:01 +0000 (UTC) Received: from [192.168.1.153] (headnet01.pony-001.prod.iad2.dc.redhat.com [10.2.32.101]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0243930001BE; Tue, 12 May 2026 09:11:52 +0000 (UTC) From: Albert Esteve Date: Tue, 12 May 2026 11:10:46 +0200 Subject: [PATCH RFC 4/5] selinux: Restrict cross-cgroup dma-heap charging MIME-Version: 1.0 Message-Id: <20260512-v2_20230123_tjmercier_google_com-v1-4-6326701c3691@redhat.com> References: <20260512-v2_20230123_tjmercier_google_com-v1-0-6326701c3691@redhat.com> In-Reply-To: <20260512-v2_20230123_tjmercier_google_com-v1-0-6326701c3691@redhat.com> To: Tejun Heo , Johannes Weiner , =?utf-8?q?Michal_Koutn=C3=BD?= , Jonathan Corbet , Shuah Khan , Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Michal Hocko , Roman Gushchin , Shakeel Butt , Muchun Song , Andrew Morton , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , Christian Brauner , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Ondrej Mosnacek , Shuah Khan Cc: cgroups@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, Albert Esteve , mripard@kernel.org, echanude@redhat.com X-Developer-Signature: v=1; a=ed25519-sha256; t=1778577077; l=2526; i=aesteve@redhat.com; s=20260303; h=from:subject:message-id; bh=tUWRK8NTStGQ1jZHgkmRKZapXQ36MvVDWM78JA0pHKc=; b=e6N+YtFKOhQ//Vp4D6U2ohSadH2QnhXcc1X/ddAVP+E3Zk+mSsnQfSYy2rug6ryMvRQbso/pF vqSXsycAnyXBDbHh7hAx/7LmIeQWrEfnkUsINWjS+8HNK/1pzGLA2ng X-Developer-Key: i=aesteve@redhat.com; a=ed25519; pk=YSFz6sOHd2L45+Fr8DIvHTi6lSIjhLZ5T+rkxspJt1s= X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-MFC-PROC-ID: rGsD4yyxhRrYA_d3BeMGtt174pgJZB79WZ8Iat8CUBo_1778577122 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The security_dma_heap_alloc() hook allows security modules to control which processes may charge dma-buf allocations to another process's cgroup via the charge_pid_fd field of DMA_HEAP_IOCTL_ALLOC. Without a policy implementation, the hook is a no-op and the restriction is not enforced. On SELinux-managed systems any domain with access to a dma-heap device node can therefore exhaust another cgroup's memory budget without restriction. Implement selinux_dma_heap_alloc() using avc_has_perm() with a new dma_heap object class and a charge_to permission. Policy authors can then grant cross-cgroup charging selectively, for example: allow allocator_app_t client_app_t:dma_heap charge_to; Signed-off-by: Albert Esteve --- security/selinux/hooks.c | 7 +++++++ security/selinux/include/classmap.h | 1 + 2 files changed, 8 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0f704380a8c81..ea1f410b9f619 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2189,6 +2189,12 @@ static int selinux_capable(const struct cred *cred, struct user_namespace *ns, return cred_has_capability(cred, cap, opts, ns == &init_user_ns); } +static int selinux_dma_heap_alloc(const struct cred *from, const struct cred *to) +{ + return avc_has_perm(cred_sid(from), cred_sid(to), + SECCLASS_DMA_HEAP, DMA_HEAP__CHARGE_TO, NULL); +} + static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) { const struct cred *cred = current_cred(); @@ -7541,6 +7547,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(capget, selinux_capget), LSM_HOOK_INIT(capset, selinux_capset), LSM_HOOK_INIT(capable, selinux_capable), + LSM_HOOK_INIT(dma_heap_alloc, selinux_dma_heap_alloc), LSM_HOOK_INIT(quotactl, selinux_quotactl), LSM_HOOK_INIT(quota_on, selinux_quota_on), LSM_HOOK_INIT(syslog, selinux_syslog), diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 90cb61b164256..d232f7808f6b8 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -181,6 +181,7 @@ const struct security_class_mapping secclass_map[] = { { "user_namespace", { "create", NULL } }, { "memfd_file", { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } }, + { "dma_heap", { "charge_to", NULL } }, /* last one */ { NULL, {} } }; -- 2.53.0