From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD070C77B7F for ; Mon, 23 Jun 2025 10:41:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0ED6B6B00BD; Mon, 23 Jun 2025 06:41:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 09D226B00C0; Mon, 23 Jun 2025 06:41:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ECDC96B00C1; Mon, 23 Jun 2025 06:41:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id D931D6B00BD for ; Mon, 23 Jun 2025 06:41:47 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 57833C061F for ; Mon, 23 Jun 2025 10:41:47 +0000 (UTC) X-FDA: 83586324654.10.D03B527 Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf04.hostedemail.com (Postfix) with ESMTP id 9F5ED40005 for ; Mon, 23 Jun 2025 10:41:45 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="cTUAD/gU"; spf=pass (imf04.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750675305; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rafkk8iXSiEQPjsUo2tlkFZ/dTXRoriGP2MPqcyhFj0=; b=5wZk0Tg5bDJPE7B4PzJUMJTfBSov/x/e8SlIH9nMX3dwWnsbzUjCYY4giL1b0l1t9HIjCp 6HkKn2XoDcAHuTPuxFGzckcU+oDHuoNpT4ZBAC+UoH7QeFn9txh0Qz/RH8H9lqDQzF7bBE z1CPWTXBBf4hTNJP1jNCKMB5fwWDGFA= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="cTUAD/gU"; spf=pass (imf04.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750675305; a=rsa-sha256; cv=none; b=v69PvbsWDLr6FTGF63ZbhmaKbdgM50Wj42JztzxhThmMil7xn/aPfIHWtDFSypMBWDREw4 YnAIIxcxTH0f5f1NaOO+V02LdJFqs4XY8JEppVnSsMtXhWyhYNivjdgMMII7dDSJgkkMQP 71VAu1trGRkSVLF8hTl7C0zGSV/29cg= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id AFB5861166; Mon, 23 Jun 2025 10:41:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8893BC4CEF1; Mon, 23 Jun 2025 10:41:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750675304; bh=TjVPoKfdwA4LC6d6Oiek3FJXnEusgEo0vEnY+quhvUY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cTUAD/gUMZOHoJKyYa9WlHoR8tQ+Dl2l5zyAa0WhMxz2xMnLNrJFCZBuZ2deldPUr KYhAyDywxD7UoBZ+C6RHd+qOlwuM8AUmXT/PNbt2XdsfvbZn/xmONwgfMCNi/blkXw eymthVUItsI9Z74j6AyATPLUwHeTNPoqeCkdKR3R5aNVQXGaO+K13TEbPoHENG26Fz uXBLdeG23wCeyZNuneL+aWpGOcN7OlQyKRXbfz/g7iO39vyFuSV2kQ9/WvF1R2djAE JXqgGbppJS+V/DqnR3vHk+kNTFCZeH1/R8d+NSYJ/2dsIaYokAan7FAsDdJymTEqoz 1DFPZUbVuYbMg== From: Christian Brauner To: Shivank Garg Cc: Christian Brauner , seanjc@google.com, vbabka@suse.cz, willy@infradead.org, pbonzini@redhat.com, tabba@google.com, afranji@google.com, ackerleytng@google.com, jack@suse.cz, hch@infradead.org, cgzones@googlemail.com, ira.weiny@intel.com, roypat@amazon.co.uk, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, david@redhat.com, akpm@linux-foundation.org, paul@paul-moore.com, rppt@kernel.org, viro@zeniv.linux.org.uk Subject: Re: [PATCH V2] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Date: Mon, 23 Jun 2025 12:41:28 +0200 Message-ID: <20250623-abmessungen-vakuum-9c0c03207fcd@brauner> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250620070328.803704-3-shivankg@amd.com> References: <20250620070328.803704-3-shivankg@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Developer-Signature: v=1; a=openpgp-sha256; l=1342; i=brauner@kernel.org; h=from:subject:message-id; bh=TjVPoKfdwA4LC6d6Oiek3FJXnEusgEo0vEnY+quhvUY=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMWRE6sf/n97Pffb45Slvap1Wcy1hlKj5ssXp7D7NOueo7 UrPtmtu6ChlYRDjYpAVU2RxaDcJl1vOU7HZKFMDZg4rE8gQBi5OAZiIABfD/zi7I5F/1ydFnnJ7 fuX4njkd1h2/Nz7NOG4eUDNd6XOJaiojQ1Oghci+2dYTX9yqW/COcbPd1oWejCf2X4k2kfs/SWw KJyMA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 9F5ED40005 X-Stat-Signature: 7pmso1ynbfg3uigk3sidub9j51z7gjwu X-HE-Tag: 1750675305-167242 X-HE-Meta: U2FsdGVkX18zbSUutnH3tqzTeE5kzn4KudSjD5HYhfA8THQBgDBg/0UGG1eB3JU37SWUSJDZCLZ3n3nj6tRp2PDU/tjLVdTuK0ykeEGqgE5N7h7CI3UYsb/2BYxtq7GD3Y6MnfYd09PyWb1WQ7GHySmJWJvytCZPEJKulff0HVG517O8BIUwgFiFSNVg0bxLGTjT5w3DuEOBeMtacFYsJNb4iO71jMDTVTdAkSUf7unmAAnLSXmkTC8TwnWezQUkunGXbehc5ER/918HSXvxmWtQnJiIvUnD9Oy+zoRjW5lLh49yxgRRE+Q+L8jA0MJIa42ivs7QlrsqFceuPHhFeJV86Qyfrqh23KqoytqEI8t/+xJPhVOn7WafmdkHpy+6ncgiJPH/bAcpXqdlIe9wgREdJzEUscq338wJJEC6g1ROBUQt1ocnogLcwLXcpgFSKOwoExvOpvNjTSgwxxB00MqsK+Ead97/+EM/wnDGeQdab8jIk8/chItGbf/OOSdHiItSwTbMvqh4KvVvVv1qkPqfNZyX52Nu7o3mjR2pstDFIATn9flrPNUF6iwA+oKEfHhCB/KSq7rz1CTLc1+FS/00r8wvYj9LbBErHWK3BWy6pbosegZxKWvZGzKLF7XIHu84dUjmYzC68d9Lv4tjEOtcgjCy0BfzPr92OjcpUqf3hb04++QFvNKPYUB25WyZBs+BZPgnAnAFVGOwJqvGo2oXPtdpTQfi9zs3TI3WaV+I5bYE+ksW1wQaWH6tUa/gXKM+ZIOGNkcPFDFtwAyVZU2IVeBC6czyaCzwPHI21aGE7hUZH/hWU2vPTtzeoyhwzWn8cMFyXB70O+k0vYZ4GXY7f5ZaUkg1zMu1q1FH7NpG1B2Su7MKEqaaWERclE2EhfDxfFCacKE0phwXdduwz9nTCKBw0FXcurtsU1mTLB7IUQ8mrt5WYdgEmaetRCoF41kDIUDXBi7jZDqG9Ha J4KgLHpb xlXBqKuZcsc0X6Be9k16Rp2DOIAo48sz74UIe03NX9SKduYN65eRYQlL9B1xUjt961xgzrj/QHCxQJy7XDa8FN9B0a7LKtXeJbZO2NhzD7T7jzbgrdbWRbwnVzE5vSH4hhR0FZbKrIDxhaus46JRp9xC31ASghPOrIhizLhoDDqNg8hzNBaL+fa/e4BoVfLM6fspP8Kutnf3M12BeKcRdmkDjtsgAObQROvUoUPQZTNhTacjfGmmaBvfpZWu5Ui6UJeV+IMpK2nE0d3+oGCQsvWC/KRzVUAPZEkvtyrIBHtwUBte3gVWQCurChn5u54GLsajP7DNnWzRa04Rdn8/hyoyjRA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, 20 Jun 2025 07:03:30 +0000, Shivank Garg wrote: > Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create > anonymous inodes with proper security context. This replaces the current > pattern of calling alloc_anon_inode() followed by > inode_init_security_anon() for creating security context manually. > > This change also fixes a security regression in secretmem where the > S_PRIVATE flag was not cleared after alloc_anon_inode(), causing > LSM/SELinux checks to be bypassed for secretmem file descriptors. > > [...] Applied to the vfs.fixes branch of the vfs/vfs.git tree. Patches in the vfs.fixes branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.fixes [1/1] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass https://git.kernel.org/vfs/vfs/c/cbe4134ea4bc