On May 12, 2026 Albert Esteve <[email protected]> wrote: > > The security_dma_heap_alloc() hook allows security modules > to control which processes may charge dma-buf allocations > to another process's cgroup via the charge_pid_fd field of > DMA_HEAP_IOCTL_ALLOC. Without a policy implementation, the > hook is a no-op and the restriction is not enforced. > > On SELinux-managed systems any domain with access to a > dma-heap device node can therefore exhaust another cgroup's > memory budget without restriction. > > Implement selinux_dma_heap_alloc() using avc_has_perm() with > a new dma_heap object class and a charge_to permission. Policy > authors can then grant cross-cgroup charging selectively, > for example: > > allow allocator_app_t client_app_t:dma_heap charge_to; > > Signed-off-by: Albert Esteve <[email protected]> > --- > security/selinux/hooks.c | 7 +++++++ > security/selinux/include/classmap.h | 1 + > 2 files changed, 8 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0f704380a8c81..ea1f410b9f619 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2189,6 +2189,12 @@ static int selinux_capable(const struct cred *cred, > struct user_namespace *ns, > return cred_has_capability(cred, cap, opts, ns == &init_user_ns); > } > > +static int selinux_dma_heap_alloc(const struct cred *from, const struct cred > *to) > +{ > + return avc_has_perm(cred_sid(from), cred_sid(to), > + SECCLASS_DMA_HEAP, DMA_HEAP__CHARGE_TO, NULL); > +} > + > static int selinux_quotactl(int cmds, int type, int id, const struct > super_block *sb) > { > const struct cred *cred = current_cred(); > @@ -7541,6 +7547,7 @@ static struct security_hook_list selinux_hooks[] > __ro_after_init = { > LSM_HOOK_INIT(capget, selinux_capget), > LSM_HOOK_INIT(capset, selinux_capset), > LSM_HOOK_INIT(capable, selinux_capable), > + LSM_HOOK_INIT(dma_heap_alloc, selinux_dma_heap_alloc), > LSM_HOOK_INIT(quotactl, selinux_quotactl), > LSM_HOOK_INIT(quota_on, selinux_quota_on), > LSM_HOOK_INIT(syslog, selinux_syslog), > diff --git a/security/selinux/include/classmap.h > b/security/selinux/include/classmap.h > index 90cb61b164256..d232f7808f6b8 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -181,6 +181,7 @@ const struct security_class_mapping secclass_map[] = { > { "user_namespace", { "create", NULL } }, > { "memfd_file", > { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } }, > + { "dma_heap", { "charge_to", NULL } }, > /* last one */ { NULL, {} } > };
While we have seen some one-off patches to add specific resource/cgroups controls in the past, much like this one, we've yet to see a patchset that provides a more comprehensive set of resource/cgroup access controls for SELinux. I'm not opposed to a patch like this, but I would like to see it as part of a larger effort to introduce access controls across all of the existing cgroup control points where it makes sense. In other words, let's see a design for cgroup access controls so that we can ensure we have something that is meaningful and makes sense from a policy developer's perspective. -- paul-moore.com
