On May 12, 2026 Albert Esteve aesteve@redhat.com wrote:
The security_dma_heap_alloc() hook allows security modules to control which processes may charge dma-buf allocations to another process's cgroup via the charge_pid_fd field of DMA_HEAP_IOCTL_ALLOC. Without a policy implementation, the hook is a no-op and the restriction is not enforced.
On SELinux-managed systems any domain with access to a dma-heap device node can therefore exhaust another cgroup's memory budget without restriction.
Implement selinux_dma_heap_alloc() using avc_has_perm() with a new dma_heap object class and a charge_to permission. Policy authors can then grant cross-cgroup charging selectively, for example:
allow allocator_app_t client_app_t:dma_heap charge_to;
Signed-off-by: Albert Esteve aesteve@redhat.com
security/selinux/hooks.c | 7 +++++++ security/selinux/include/classmap.h | 1 + 2 files changed, 8 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0f704380a8c81..ea1f410b9f619 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2189,6 +2189,12 @@ static int selinux_capable(const struct cred *cred, struct user_namespace *ns, return cred_has_capability(cred, cap, opts, ns == &init_user_ns); } +static int selinux_dma_heap_alloc(const struct cred *from, const struct cred *to) +{
- return avc_has_perm(cred_sid(from), cred_sid(to),
SECCLASS_DMA_HEAP, DMA_HEAP__CHARGE_TO, NULL);+}
static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) { const struct cred *cred = current_cred(); @@ -7541,6 +7547,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(capget, selinux_capget), LSM_HOOK_INIT(capset, selinux_capset), LSM_HOOK_INIT(capable, selinux_capable),
- LSM_HOOK_INIT(dma_heap_alloc, selinux_dma_heap_alloc), LSM_HOOK_INIT(quotactl, selinux_quotactl), LSM_HOOK_INIT(quota_on, selinux_quota_on), LSM_HOOK_INIT(syslog, selinux_syslog),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 90cb61b164256..d232f7808f6b8 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -181,6 +181,7 @@ const struct security_class_mapping secclass_map[] = { { "user_namespace", { "create", NULL } }, { "memfd_file", { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } },
- { "dma_heap", { "charge_to", NULL } }, /* last one */ { NULL, {} }
};
While we have seen some one-off patches to add specific resource/cgroups controls in the past, much like this one, we've yet to see a patchset that provides a more comprehensive set of resource/cgroup access controls for SELinux.
I'm not opposed to a patch like this, but I would like to see it as part of a larger effort to introduce access controls across all of the existing cgroup control points where it makes sense. In other words, let's see a design for cgroup access controls so that we can ensure we have something that is meaningful and makes sense from a policy developer's perspective.
-- paul-moore.com