Description of problem: Hey everyone. pidfds have been moved from the anonymous inode infrastructure to a separate in-kernel filesystems called "pidfs". It is comparable to nsfs, sockfs, pipefs, and anon_inode_fs. It always exists and cannot be mounted or unmounted from userspace. So far pidfds weren't able to be mediated by selinux which was requested multiple times. Now that pidfs exists it is actually possible to medite pidfds because they go through the regular open path that calls the security_file_open() hook. This is a huge advantage. The problem is that users running the latest upstream kernel experience selinux denials of the following form: Feb 23 12:09:58 fed1 audit[353]: AVC avc: denied { read write open } for pid=353 comm="systemd-userdbd" path="pidfd:[709]" dev="pidfs" ino=709 scontext=system_u:system_r:systemd_userdbd_t:> Since pidfds are widely used (systemd, dbus-broker, polkit, and a lot more) this causes various services to start and ultimately failures to bring up networking and son. On newer kernels it is possible to receive pidfs via AF_UNIX through the SO_PEERPIDFD, and SCM_PIFDD options. This is a major security feature that makes it possible to securely authenticate clients - protected against pid reuse - in dbus and polkit. I've created a dummy pull request at: https://github.com/fedora-selinux/selinux-policy/pull/2050 It would be very very good if we could resolve this quickly. How reproducible: Build linux-next kernel and boot with selinux enabled on Fedora 39 or Fedora Rawhide for example. Steps to Reproduce: 1. Build linux-next kernel. 2. Boot Fedora Actual results: Various denials to use pidfds. Expected results: No denials to use pidfds.
Reference policy: https://github.com/SELinuxProject/refpolicy/pull/762
I want to note that we're obviously fixing this in the kernel for now and it will continue working but I would like to give LSMs the ability to mediate pidfds asap as that had been requested for a while now and this is the first time we can actually enable this.