From 9baf8819503ca239d68de92831e05e9542060459 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Fri, 23 Feb 2024 08:41:16 -0500
Subject: [PATCH 1/2] filesystem: Add labeling for pidfs.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 67aa29ed9f..e5695eb826 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -49,6 +49,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 # like pipes and sockets, so that these objects are labeled with the same
 # type as the creating task.
 fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task pidfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
 

From ad7f2db84eb3549cba8592d0cad5f0fc47b461dc Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 26 Feb 2024 09:10:06 -0500
Subject: [PATCH 2/2] support: Add use_pidfds_pattern.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/support/ipc_patterns.spt | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt
index f8dea13b3c..e420bd3376 100644
--- a/policy/support/ipc_patterns.spt
+++ b/policy/support/ipc_patterns.spt
@@ -18,3 +18,14 @@ define(`dgram_send_pattern',`
 	allow $1 $3:sock_file write_sock_file_perms;
 	allow $1 $4:unix_dgram_socket sendto;
 ')
+
+#
+# pidfd
+#
+# Parameters:
+# 1. source domain type
+# 2. target domain type
+define(`use_pidfds_pattern',`
+	allow $1 $2:fd use;
+	allow $1 $2:file { getattr read write };
+')