From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 64D17C10F1D
	for <linux-mm@archiver.kernel.org>; Thu,  8 Dec 2022 16:46:41 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 03DE78E0006; Thu,  8 Dec 2022 11:46:41 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F2E0F8E0001; Thu,  8 Dec 2022 11:46:40 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E1C9B8E0006; Thu,  8 Dec 2022 11:46:40 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id CE6C68E0001
	for <linux-mm@kvack.org>; Thu,  8 Dec 2022 11:46:40 -0500 (EST)
Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 53D7F1A0FD3
	for <linux-mm@kvack.org>; Thu,  8 Dec 2022 16:46:40 +0000 (UTC)
X-FDA: 80219717760.08.6F9B6C6
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47])
	by imf10.hostedemail.com (Postfix) with ESMTP id 6877DC0008
	for <linux-mm@kvack.org>; Thu,  8 Dec 2022 16:46:38 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=U2b9lM71;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.47 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1670517998;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=M5g9x1VwrktuopxwMZHjOgJ8tHfMh8aN/AqahvEyUyc=;
	b=rDmSGChXcyGZuqVYICrQTSCrFFeN4Gn819O/78r8df+uxuiMnhx84DutwfZTiTPKUzVsbg
	RnBxSnla2JLwHToRT9rznjCNVrTxFrrSv+ZNw8DMAab3HsZ5LEzvtU9nSYMA5Q6LTPFUgT
	Rvk5yHroD/ccOSXZ1Vj51UoNccbMfec=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=U2b9lM71;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.47 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670517998; a=rsa-sha256;
	cv=none;
	b=42PgQMjezyLg254xUOs44jbLxgiS/Y9fVEVME8GlE1zn7wPwXlAjo7bTj8omrgor/NReB0
	A/Tn5Er6rjW9vvVAWDxCFQZxga40jN3IIkKdsL/86ar4maBq7dJj7O3Jz+SRfmwBziJ1vi
	2jLgGtVfLp8Y6xVf48Zf9/YwnqU/7Wk=
Received: by mail-pj1-f47.google.com with SMTP id q17-20020a17090aa01100b002194cba32e9so5250362pjp.1
        for <linux-mm@kvack.org>; Thu, 08 Dec 2022 08:46:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=M5g9x1VwrktuopxwMZHjOgJ8tHfMh8aN/AqahvEyUyc=;
        b=U2b9lM71DR7CIe1jVRJVDqcCVhIQHrqrw/uvbLFZM9bDhCqODmtXgLThl7qogxizyH
         LHX+6BExWkAsbrHdlV59CE1zTXObbdVbPVjURA6GJFFKmtA6dpDCKmVME2CfPTDIysXO
         78uEvSSKu9kDFFKutu9isCrAh0vezxIhwguWU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=M5g9x1VwrktuopxwMZHjOgJ8tHfMh8aN/AqahvEyUyc=;
        b=fMxnUNTgz+BE0Wcbz6yW1Ph0YRt+bM6oqW9ucrXsQBiYkAWdSUhQzSA9CWacXhDtQM
         C2WVYC37um85QEuBizoxtHHJer/iDdLRCzXaQqCMPpMr1Yr6PvHc3WxVaLnBC7WhyO7h
         sYclaAGPnx9l7mgCFFrT8GwhVcjsnuMqwKJDqIkT9ZWrtrbK4BOnNBvthgXyTdUrTNK9
         o8BYsLbGs4ZpqK0wZm52iwDU7nz67N5BJDtCce7/nCZtLu+AB0IMvf7oPQaAe9CcFgnd
         k/1FjKg9zqjIpGz2hTHasA/8dGxUdzv8mYzTHdQrK2ahNx9EP9XA1F1sg9Z9+pmwwucc
         ssNA==
X-Gm-Message-State: ANoB5pkfj4c6Co/rRu6Cy3mOyupBsUKv5ChXCSUSQtgCUEM8Qh2ijniS
	PQQgBUpXnOZQZWL2S1KewKSPCQ==
X-Google-Smtp-Source: AA0mqf7rJ3anr4Kc+n7+Zjin6BYJYXJCfq/+N+XN/qjcSVRqcGe1qoouE4guqX4TOa/NYXtzAAEA9A==
X-Received: by 2002:a17:902:dacd:b0:189:6889:c30a with SMTP id q13-20020a170902dacd00b001896889c30amr61854329plx.6.1670517997289;
        Thu, 08 Dec 2022 08:46:37 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id f6-20020a170902ce8600b001743ba85d39sm16877857plg.110.2022.12.08.08.46.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Dec 2022 08:46:36 -0800 (PST)
Date: Thu, 8 Dec 2022 08:46:35 -0800
From: Kees Cook <keescook@chromium.org>
To: jeffxu@chromium.org
Cc: skhan@linuxfoundation.org, akpm@linux-foundation.org,
	dmitry.torokhov@gmail.com, dverkamp@chromium.org, hughd@google.com,
	jeffxu@google.com, jorgelo@chromium.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org, jannh@google.com,
	linux-hardening@vger.kernel.org, kernel test robot <lkp@intel.com>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v6 6/6] mm/memfd: security hook for memfd_create
Message-ID: <202212080845.8E9D894B@keescook>
References: <20221207154939.2532830-1-jeffxu@google.com>
 <20221207154939.2532830-7-jeffxu@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221207154939.2532830-7-jeffxu@google.com>
X-Rspamd-Queue-Id: 6877DC0008
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-Stat-Signature: 979xeja5eff1hd8s79p46nr7upziqh6w
X-HE-Tag: 1670517998-34909
X-HE-Meta: U2FsdGVkX19ASbyCh+NQ++MqKJfYwSrnDpuxok6QZNgyUiaKrLxRsyfJ5/Ov5TLW3I9nMEQoAGQIxTtsnQxB22cu6PYbIAx8sTEu2uIX9lSwMdVFgOxpvNemFgPJrIqCABjWiZnur1KmLfbmYggIoDVwF4qgwM3cPEutXDuS8H10rVwNbxHR/44Vi39TSvACWm5AnqxWmnJw/2ZPl0493ZVv6MAf0qXZvihWqIhzHYpr7TQRKlTIcKqODVQmcv1jUFpKOLGWmbTYkv5X++5udQ6Uhcuvv5p57qzWxfFiJLctG6JcswrPUSlbyEXfzixq6wB2HdO32XmHzA+JS69zhpbkRNdsoSnaFb1MGTgNUPpUSK5LEnTTs0UTmtYV5WLGWys4XGseN7nlO9o8upEfqtk/UX34IjtVEkclYK8nllodfooEeSP0VB194oXSJgGMGIuUeQ/dEcSNitE0MmFBFmgAply7tQAM2jw8u4MI/ID/Mp2k3eFMBaWUEHF0N+i6Mmme7QFt0+VlSVxHwDPoB0As8B5T3EOrnS26bfEtx0+9aTuNNSszPAaOiRu7zB/VkwcFNvYRej8WGlqy0tAFs2dxMZFC38rg3PY/bceBqPi78AwNKFpo0XgGLP9R3Ao9LZAwVVKLkX8eijC5f4vgfYTrn5Vt+GMkc2UamlaSnuL21NLmPTIEjhsPbdebrBDAy5w6ZFL0+rIVN4sSbK9SiGshr5fIrw5IZY9+ajcB/CF3jCEI58a0nOwZMoOfhh43cWGdUDEJD805Tdvj90cRJfm9xHURMqZInmRLuXORf6sRjlGp6sd/IQVi07e18/m3fAYAyX/cNeoCxCmQYARiQ0XhRsrxlTQIyttq57k2IWhnwCDYYSWOdMRcanPBANZCHW9enAX7QMUGhoe0wjhjJ3Wu3iccqAil+uwylTMQqTPcodqFwPjuWb8A+tnHRRPbeIP3Z3qd1f6aPgJwc3D
 nEZQT02v
 qBas2pF2PWO/Cl1mtaWhB69L2Wi6S6hAT4Ozc/byGwH2sIexmwYke9HSmGs/C8Q8M0WpmhfgdsYAxSfyWMe6eXhT8bBflYKQpPckCtxd/mDlZcSuyvkabeYUFPGdHAXhh52n9QExTFLGE2O3YB930YgqdGtyHwJA9joADiVTLddxwYBwARyZEnmlLeSw8pF8tNxZ4YDvoy0KMho+fsL67wz6BMQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Dec 07, 2022 at 03:49:39PM +0000, jeffxu@chromium.org wrote:
> From: Jeff Xu <jeffxu@google.com>
> 
> The new security_memfd_create allows lsm to check flags of
> memfd_create.
> 
> The security by default system (such as chromeos) can use this
> to implement system wide lsm to allow only non-executable memfd
> being created.
> 
> Signed-off-by: Jeff Xu <jeffxu@google.com>
> Reported-by: kernel test robot <lkp@intel.com>

Oh, btw, please CC linux-security-module@vger.kernel.org when adding new
hooks. (I've added the CC here.)

-Kees

> ---
>  include/linux/lsm_hook_defs.h |  1 +
>  include/linux/lsm_hooks.h     |  4 ++++
>  include/linux/security.h      |  6 ++++++
>  mm/memfd.c                    |  5 +++++
>  security/security.c           | 13 +++++++++++++
>  5 files changed, 29 insertions(+)
> 
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index ec119da1d89b..fd40840927c8 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -164,6 +164,7 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *file)
>  LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
>  LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
>  	 unsigned long arg)
> +LSM_HOOK(int, 0, memfd_create, char *name, unsigned int flags)
>  LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
>  LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
>  	 unsigned long prot, unsigned long flags)
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 4ec80b96c22e..5a18a6552278 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -543,6 +543,10 @@
>   *	simple integer value.  When @arg represents a user space pointer, it
>   *	should never be used by the security module.
>   *	Return 0 if permission is granted.
> + * @memfd_create:
> + *	@name is the name of memfd file.
> + *	@flags is the flags used in memfd_create.
> + *	Return 0 if permission is granted.
>   * @mmap_addr :
>   *	Check permissions for a mmap operation at @addr.
>   *	@addr contains virtual address that will be used for the operation.
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ca1b7109c0db..5b87a780822a 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -384,6 +384,7 @@ int security_file_permission(struct file *file, int mask);
>  int security_file_alloc(struct file *file);
>  void security_file_free(struct file *file);
>  int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
> +int security_memfd_create(char *name, unsigned int flags);
>  int security_mmap_file(struct file *file, unsigned long prot,
>  			unsigned long flags);
>  int security_mmap_addr(unsigned long addr);
> @@ -963,6 +964,11 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
>  	return 0;
>  }
>  
> +static inline int security_memfd_create(char *name, unsigned int flags)
> +{
> +	return 0;
> +}
> +
>  static inline int security_mmap_file(struct file *file, unsigned long prot,
>  				     unsigned long flags)
>  {
> diff --git a/mm/memfd.c b/mm/memfd.c
> index 92f0a5765f7c..f04ed5f0474f 100644
> --- a/mm/memfd.c
> +++ b/mm/memfd.c
> @@ -356,6 +356,11 @@ SYSCALL_DEFINE2(memfd_create,
>  		goto err_name;
>  	}
>  
> +	/* security hook for memfd_create */
> +	error = security_memfd_create(name, flags);
> +	if (error)
> +		return error;
> +
>  	if (flags & MFD_HUGETLB) {
>  		file = hugetlb_file_setup(name, 0, VM_NORESERVE,
>  					HUGETLB_ANONHUGE_INODE,
> diff --git a/security/security.c b/security/security.c
> index 79d82cb6e469..5c018e080923 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1010,6 +1010,19 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
>  }
>  EXPORT_SYMBOL(security_sb_clone_mnt_opts);
>  
> +int security_add_mnt_opt(const char *option, const char *val, int len,
> +			 void **mnt_opts)
> +{
> +	return call_int_hook(sb_add_mnt_opt, -EINVAL,
> +					option, val, len, mnt_opts);
> +}
> +EXPORT_SYMBOL(security_add_mnt_opt);
> +
> +int security_memfd_create(char *name, unsigned int flags)
> +{
> +	return call_int_hook(memfd_create, 0, name, flags);
> +}
> +
>  int security_move_mount(const struct path *from_path, const struct path *to_path)
>  {
>  	return call_int_hook(move_mount, 0, from_path, to_path);
> -- 
> 2.39.0.rc0.267.gcb52ba06e7-goog
> 

-- 
Kees Cook