From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14F2DC77B7F for ; Mon, 23 Jun 2025 10:16:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AF5BD6B0089; Mon, 23 Jun 2025 06:16:40 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AA7076B00C1; Mon, 23 Jun 2025 06:16:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9E4E36B00C2; Mon, 23 Jun 2025 06:16:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 8B88D6B0089 for ; Mon, 23 Jun 2025 06:16:40 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 99C87BA090 for ; Mon, 23 Jun 2025 10:16:39 +0000 (UTC) X-FDA: 83586261318.29.FF731C4 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf10.hostedemail.com (Postfix) with ESMTP id E0385C000B for ; Mon, 23 Jun 2025 10:16:37 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=kUjqUI2t; spf=pass (imf10.hostedemail.com: domain of brauner@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750673798; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Gq/d4RK34vNZW1Snttjd9IZLD644HjxweCex1FEralo=; b=ysnovKeiKYaiBXdnhlKhuBu0pbyaUJ9YqJQU9ZeuqI+DgLeJNGdBuXQh2upDN7U1tvle4+ ZcAryNzxhjIkZEzsFbhXkxj9EsIvhwRMp9Zq+ELDirUFBEgBLz8Cv8yukCukdHcgs1HTiC c/jJBWInRs/fuTgBMVxmr8Uo6EkqwVs= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=kUjqUI2t; spf=pass (imf10.hostedemail.com: domain of brauner@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750673798; a=rsa-sha256; cv=none; b=H1Bfoa2rX2vLKsdfkK4hULUzTd2H3wcTO6UrqXjUsXBDTmE/NcAN5X0zEkXup7VZLud3Of mwhsAcvQINzMAgoDWra1Hz3I7WXH+jvewr2C8TLZWSlB9/Iak5exCjQ3Yzno5TmNFuP3cX Kzpa7V5wbV2HBJxzdO2kB8qE3U9aSgI= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 4759D5C5BE3; Mon, 23 Jun 2025 10:14:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BCE6EC4CEF0; Mon, 23 Jun 2025 10:16:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750673796; bh=uANWeMNyTEGUxGx9R6g80F8R/lxIBbDL+x6N92SBdcA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kUjqUI2tWmvPUPoMTkwJDfBa0vFFJLqGjdn+pzExsg2adnrlJ9aQi6TlF/4QMR/lW 2QXmBWrc7i8N7RFeJu39wki9n3pVEpGTCOi0ZpPJtUv6LNbbJ3BNjzNmJO0vexSjhH Y/b36coxu7XGxmkU8Hyefqemrb15U6fOREfQ++8wzL6B1EJj0ne3IyZRLBicjbgPIn Rg3FXxu2I5263anXonUzxyhQWRxCkfM54smFSWhOL/Zq5kfLzUE5wqU7ZaA5OFQV7r t+k/siDb5gQAv+lmeoLZT038qa06KHlD2yAS2P0IiIPxL0vJJoyvjkbKf7C9V9kHwD VMr35Yv8SS0Sw== Date: Mon, 23 Jun 2025 12:16:27 +0200 From: Christian Brauner To: Sean Christopherson Cc: Mike Rapoport , Vlastimil Babka , Shivank Garg , david@redhat.com, akpm@linux-foundation.org, paul@paul-moore.com, viro@zeniv.linux.org.uk, willy@infradead.org, pbonzini@redhat.com, tabba@google.com, afranji@google.com, ackerleytng@google.com, jack@suse.cz, hch@infradead.org, cgzones@googlemail.com, ira.weiny@intel.com, roypat@amazon.co.uk, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Message-ID: <20250623-warmwasser-giftig-ff656fce89ad@brauner> References: <20250619073136.506022-2-shivankg@amd.com> <20250619-fixpunkt-querfeldein-53eb22d0135f@brauner> <20250619-ablichten-korpulent-0efe2ddd0ee6@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: E0385C000B X-Stat-Signature: iufufohhc9k6nk71kqru4a6zhpggze4c X-HE-Tag: 1750673797-171581 X-HE-Meta: U2FsdGVkX1/HuYM8YsM2L7Mek8mKeuvuEMw6gPfpQP++tTxZCF5J417ondowvGKkMi5ABlyMmDAAo9Fea3AakQNN2KV2ZvWQGRqbg/iklT/sGvRfp8JR77smaexvTBTlUrRCHwdGjWgAU9wtfgEzNKmDTMkOrYAtLWSAuA/yLUvVYp/pIM25sY/QvMQhJ6O5E0TIq4ZDd2koXh7AEcacLjozRN4yOfTeHBu1o0O33enCrVnN18EpspMaIFIpc2w1S4vUg54WjqDbV3C86Yr+TLVKFbB9z81vz1hExD9JAolmdSJ/arvRabnYd7Q7cpS2aYLNXXeJ5zCpGCQ50YGPGd3ye6qLCbPnQ3D814EST3nXQetkULwWIkSoVkq7Hw/mHFNW5k1GIBtm/tWtB3iki+sNIgVYxDDlLJof7z1utDjXZaum4jM06JD2yJd1ME4MuYRuqR0ZolQC8+n4IyZAiF6eF4RbONYxsszMXGxgPFVsUN+w0jYsyX6BcMCYOHqvRx6+IQMW+kYagJcCOeMAoz4vjHGK5N19PcUG8YRwNmBaRUa755VRIXf6TIEFdWkuqjaK/vWUsrk2Eqnoe00R8TsxWXhRbdMxBa635VtMqcF3o963hK+M/kcCoavvt/uhiT70DzH4AwITpFVbCfSIKRnnicjIj0kuqT8aHb2Iv+8x/lPmBPnmf4zZ8Q2QTapDshx0NtPyKdUDagkkIFjNiVwQJ4lOEqpq4agM5DY7SjRSh6qm/Q4I0N3KM6vl/R0Fw7IEfj2lHuCEVoV2QIbt6rkhruGAiwAJZkqXsS9D7LMCWi/c86pqyM98ZgxUI3k3b59MSfr6IrUaFoyWy14euXR3AeZei0dJgk6+R60Gg10dPNpKbEwdjQEVbib+GdrnjPSHIpWqotwI8DziSzuJwSIKtmUPe/Er9MYUlzxhXVDvUJpsyAOIx/uutLGjhNsbI4sugiFzb+l/PRITOKL O/2Pb8he g0xnHJ1YemJ7wJ1p45O7n0sZzrI13dDWbO3mbE6qpp07D5oG6hEbJgWZJCNNFWKfhlTC+75HEQKHKuY0nUuk53gaM/FQcO2jrMWhTnUaNyHpqVGostPHuWW95Zaxo3VntjALE0krMaWLgpGkhX6dCdeWOala+4CgeARpdjXDRtTo4H7C5PqJSro5TFJdiptEWVvDGomGWFNLs3iXRRDLfG8p93De4UP+M8S/OtDdEjMX79xcn1sJPuu+1fyNHHZWVFu8shCIgJ21fWjmlcxBhOB/i2wSgk7UIjEixj8a76smxNtXAQZgIBHRuLCSEhGfWau+GY346a8uFq5uc00xm1AvIrg4PBFBZOWSYC2OefAOAMFwD4LM0o3WA9kSNO11DsJ7/e72E0D84wnE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Jun 20, 2025 at 08:02:18AM -0700, Sean Christopherson wrote: > On Thu, Jun 19, 2025, Mike Rapoport wrote: > > On Thu, Jun 19, 2025 at 02:06:17PM +0200, Christian Brauner wrote: > > > On Thu, Jun 19, 2025 at 02:01:22PM +0300, Mike Rapoport wrote: > > > > On Thu, Jun 19, 2025 at 12:38:25PM +0200, Christian Brauner wrote: > > > > > On Thu, Jun 19, 2025 at 11:13:49AM +0200, Vlastimil Babka wrote: > > > > > > On 6/19/25 09:31, Shivank Garg wrote: > > > > > > > Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create > > > > > > > anonymous inodes with proper security context. This replaces the current > > > > > > > pattern of calling alloc_anon_inode() followed by > > > > > > > inode_init_security_anon() for creating security context manually. > > > > > > > > > > > > > > This change also fixes a security regression in secretmem where the > > > > > > > S_PRIVATE flag was not cleared after alloc_anon_inode(), causing > > > > > > > LSM/SELinux checks to be bypassed for secretmem file descriptors. > > > > > > > > > > > > > > As guest_memfd currently resides in the KVM module, we need to export this > > > > > > > > > > > > Could we use the new EXPORT_SYMBOL_GPL_FOR_MODULES() thingy to make this > > > > > > explicit for KVM? > > > > > > > > > > Oh? Enlighten me about that, if you have a second, please. > > > > > > > > From Documentation/core-api/symbol-namespaces.rst: > > > > > > > > The macro takes a comma separated list of module names, allowing only those > > > > modules to access this symbol. Simple tail-globs are supported. > > > > > > > > For example:: > > > > > > > > EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*") > > > > > > > > will limit usage of this symbol to modules whoes name matches the given > > > > patterns. > > > > > > Is that still mostly advisory and can still be easily circumenvented? > > Yes and no. For out-of-tree modules, it's mostly advisory. Though I can imagine > if someone tries to report a bug because their module is masquerading as e.g. kvm, > then they will be told to go away (in far less polite words :-D). > > For in-tree modules, the restriction is much more enforceable. Renaming a module > to circumvent a restricted export will raise major red flags, and getting "proper" > access to a symbol would require an ack from the relevant maintainers. E.g. for > many KVM-induced exports, it's not that other module writers are trying to misbehave, > there simply aren't any guardrails to deter them from using a "dangerous" export. > > The other big benefit I see is documentation, e.g. both for readers/developers to > understand the intent, and for auditing purposes (I would be shocked if there > aren't exports that were KVM-induced, but that are no longer necessary). > > And we can utilize the framework to do additional hardening. E.g. for exports > that exist solely for KVM, I plan on adding wrappers so that the symbols are > exproted if and only if KVM is enabled in the kernel .config[*]. Again, that's > far from perfect, e.g. AFAIK every distro enables KVM, but it should help keep > everyone honest. > > [*] https://lore.kernel.org/all/ZzJOoFFPjrzYzKir@google.com > > > The commit message says > > > > will limit the use of said function to kvm.ko, any other module trying > > to use this symbol will refure to load (and get modpost build > > failures). > > To Christian's point, the restrictions are trivial to circumvent by out-of-tree > modules. E.g. to get access to the above, simply name your module kvm-lol.ko or > whatever. Thanks for all the details! I'm more than happy to switch a bunch of our exports so that we only allow them for specific modules. But for that we also need EXPOR_SYMBOL_FOR_MODULES() so we can switch our non-gpl versions.