From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25A25C83F03 for ; Fri, 4 Jul 2025 10:41:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9CD646B803E; Fri, 4 Jul 2025 06:41:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 97ED96B8035; Fri, 4 Jul 2025 06:41:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 81E266B803E; Fri, 4 Jul 2025 06:41:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 691EB6B8035 for ; Fri, 4 Jul 2025 06:41:34 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id F3FAD58A73 for ; Fri, 4 Jul 2025 10:41:33 +0000 (UTC) X-FDA: 83626240866.24.B0C2338 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2084.outbound.protection.outlook.com [40.107.220.84]) by imf10.hostedemail.com (Postfix) with ESMTP id F39A1C000C for ; Fri, 4 Jul 2025 10:41:30 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=amd.com header.s=selector1 header.b=x2SgVYZ1; spf=pass (imf10.hostedemail.com: domain of shivankg@amd.com designates 40.107.220.84 as permitted sender) smtp.mailfrom=shivankg@amd.com; dmarc=pass (policy=quarantine) header.from=amd.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751625691; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=NJwuPJmWTTV5cLBJxplctMGHYYyVy9wpGMoKBhgyYB0=; b=tYLO+Lo7RfXJdJLx9gbWFwxo0GZSU3y52MkLcfOftxCRfdzIXiNxKwx4u/Ya+w6qKdsGht wcuQI/F7vIzUCkaBFrZkObsAtsfjbHf3yEq5lXkoPAVzo5Aybijk0y/R7Ek/fFB6Vhko29 GUsaowyBEV4gHypJiD+A/gO5zg7UA+g= ARC-Authentication-Results: i=2; imf10.hostedemail.com; dkim=pass header.d=amd.com header.s=selector1 header.b=x2SgVYZ1; spf=pass (imf10.hostedemail.com: domain of shivankg@amd.com designates 40.107.220.84 as permitted sender) smtp.mailfrom=shivankg@amd.com; dmarc=pass (policy=quarantine) header.from=amd.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1751625691; a=rsa-sha256; cv=pass; b=2RgH6hq0bj2VBt1AgDZhrVKZ8rrpUne/RzwzU8GenJ25pabAIkJChuQ1o3zEiiJxwlNltm Mjg4foG3BSqjoL6NwtthOEyg3LCxULFv08SZLuwFAT8Nxm2RZJUVegVZ70zm7dmcoMb6hX H0Apo03XrmdGCtms31x3GP1qqA/vVac= ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U2vbEOb36JlqhMHp1KyveR7H96Y4TPyK07gu8zsX9Ru/UUV1idp8YTxTKqipikuuymSH8Z13CZCQWGZfp6XPrHKm72g377cWKrglz2Spjqik1U7Z69jmqqfg40jNQQHQi8eh3o64ek4SlkHGS+CiuYrmqC2mpM4gohHUBglwMtGqWXBqgFoARUrwpEAzAN5CXgrfRfGD51XbN6r+jyNjzXiw213po/gG5hfXZhDkUwysGxWIMUN0otVyTfHmmXHmgON18LWWnNoCeUH5+utm9CtV6NiWoamgUgnvnTVTw/4Qt5QkZBWyYVrb70fqFHTIOqsKJG5Jnoe6fORPM1Vu/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NJwuPJmWTTV5cLBJxplctMGHYYyVy9wpGMoKBhgyYB0=; b=TUG8u6T1QP68csvhfrohU0d9FAqagM8qx4swtdq2WDI4UpZLqJ36XdCogBAw7bs11IQTT++kwCU4ZQY/QVECGCPX/qsZH+WJdryx3yv3JJUcPWhCAvxUUfolLEiDwEB4/oPE3qzVQExS/Sp52cRsEj2vDGkUJ0RS+sTwkTOzPK8gbsdspjOmwX1NEKhpf8kni6FGPKUgIGF1gaMBO09jdSmBtVOOcgMTYw/tVudro8K4w/bAKxXkK+quV+EZG9YxT+/GCOCFrF03j2NqMkG/M4aBK5ywYI6m1OCjLGN2zF/QdMT0U511SRuLtxUXIT7QT/EfL8LTCVCPHGe25mPKxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NJwuPJmWTTV5cLBJxplctMGHYYyVy9wpGMoKBhgyYB0=; b=x2SgVYZ1lwULja6k7i3iocGs49yFGHK2ZL2Gebb79FOQGWWs8Tk1p11G8XKDZplhNBURuNBQW0G5ost0GxgqZ/QsOl5Tv1/9iw+ok31HqDWCfgvTt6PVW5BMFD9bEBIY0yF9WYrbx2J0Ss3bqYoKABm+9/y4jY7Jl7BLNFu/5tc= Received: from SJ5PPFF6E64BC2C.namprd12.prod.outlook.com (2603:10b6:a0f:fc02::9aa) by DM4PR12MB5866.namprd12.prod.outlook.com (2603:10b6:8:65::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.20; Fri, 4 Jul 2025 10:41:28 +0000 Received: from SJ5PPFF6E64BC2C.namprd12.prod.outlook.com ([fe80::40bb:ae48:4c30:c3bf]) by SJ5PPFF6E64BC2C.namprd12.prod.outlook.com ([fe80::40bb:ae48:4c30:c3bf%8]) with mapi id 15.20.8722.031; Fri, 4 Jul 2025 10:41:27 +0000 Message-ID: <67c40ef1-8d90-44c5-b071-b130a960ecc4@amd.com> Date: Fri, 4 Jul 2025 16:11:16 +0530 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] fs: generalize anon_inode_make_secure_inode() and fix secretmem LSM bypass To: Paul Moore , david@redhat.com, akpm@linux-foundation.org, brauner@kernel.org, rppt@kernel.org, viro@zeniv.linux.org.uk Cc: seanjc@google.com, vbabka@suse.cz, willy@infradead.org, pbonzini@redhat.com, tabba@google.com, afranji@google.com, ackerleytng@google.com, jack@suse.cz, hch@infradead.org, cgzones@googlemail.com, ira.weiny@intel.com, roypat@amazon.co.uk, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <20250626191425.9645-5-shivankg@amd.com> Content-Language: en-US From: Shivank Garg In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ClientProxiedBy: PN4PR01CA0084.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c01:26d::14) To SA5PPFF1E6547B5.namprd12.prod.outlook.com (2603:10b6:80f:fc04::8ea) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ5PPFF6E64BC2C:EE_|DM4PR12MB5866:EE_ X-MS-Office365-Filtering-Correlation-Id: 84aaf0b9-30c9-499a-5327-08ddbae753e5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|7416014|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?B?NFhidjYzQ2xva1ZCekF4Y1F4OFZibTFRMVIzOTY0cHlzMVpUUUg0c05Xcm9Y?= =?utf-8?B?RlZheTh6cmhPV05WdzlXakliY1pzelY5d1hHaFJDWWpFVlhQQ2ppanBiMzhD?= =?utf-8?B?V0t5MG5zRXdPQUQwN0xzNHhFc2ZxNHUyZGFZbm1TdmI1WHpYa3RLZlJnMGh4?= =?utf-8?B?d3dmd09BMEZTUHFrKzRpSXRGeXh0UnM2NEFCM1JacTBFUWgxUnhBNitUZ0Ry?= =?utf-8?B?Slk1SUJJZXlXTjJrS1pwbHQxT0pmUXU2TXpkWkVNUFdxZ3pGcURKYnhseVdS?= =?utf-8?B?U0g2Q2NzckE4WDNrOVM2Z3NiVE1JOHlRR3l0RjFhSEw0ZldhbnhXM1ozM0dn?= =?utf-8?B?OWFRVmg0UkpXZlhOV0JkZ05ZTnpXU0V5cE5leFBkaHJNTE5VLzRhbFl2Ymg2?= =?utf-8?B?WngwOWw5dC9FZ0R1T3BnaWk0UDZuZXhZSWQyb284VFcvVTJKZlRhckxSNmNt?= =?utf-8?B?NHB4aVB5QjA1VmZUeUJneXVvZzdYVDlUUjJGL3JRYVp2VjJ2bTRGN3lGWW9h?= =?utf-8?B?Y2c1clpqK0xnL0JKK3ZjNFN6NDM1SDJzREpuakp2bkJBMHloYUNIZGowOVdT?= =?utf-8?B?d3E3YktpNmJMcXpqcmhmd0E3bTZBVzBkL1J1ZERZWFF3V0lIVzdIUWltZHQr?= =?utf-8?B?Q1gyUGpHc3YvS2ZrVlVlelFWZ1BHbW5uU29jTmhKTzgxN0NXOVZ1ZExaSHV2?= =?utf-8?B?S0E1Z0ExZGFDcnUyWEdTVTBBdy9tQmhnOU5wOVFrUUxoMkN1SWtZbStXZjZO?= =?utf-8?B?Q1d6VzdmMEhCUlIzZHdXNVR1WUZyRmJyYnpwcWkyeFhxZUVsaFlaaCtXU1Vl?= =?utf-8?B?d051R0FLTTI1SGg0ZFNiN2xHMWlpbXAvNGJISkxoYmNlYlJzNkFsdUY0Z0U0?= =?utf-8?B?cTF6K0hBamlXUHJQd2NHeVdXSFphRFd6amRIWWtTbFJIS25xOVJCZndaNFov?= =?utf-8?B?WGt5THFzcnJxNW4yRnc0Z0FkdTFndUQ4aFNuVlZmNnA1Y0JXUUdobVBCKzlh?= =?utf-8?B?ekhJdUFaU2szQkJZZ3BGSUUrWjRoUFRSbmxMR1BYVWdJcFZYbERIdCtZWERB?= =?utf-8?B?M0IvSmI0VzFwYnVtR3IybGZQM2EzV2xrRDhBMFpMRWh5S3NLN0ZHVFF0cEJU?= =?utf-8?B?QmYwS05LSHJzQmtqcnIzdzRMVkdZOERiSXRtS21jYjdaV2djT2ozWmdJNzZs?= =?utf-8?B?dEJ4TTJkMFhOSk1wakhoeDVZeVpNdnN4Qi9IMjQ0S25CcGJzNzNzcGhER0dr?= =?utf-8?B?NTVTUFNZejE0UTlKZlMyc3dVUHkrWFVESEo3U0UwWmV0N3Fja1doVFlvU1Uy?= =?utf-8?B?Q0crYVV3TnBvQzFhRWN0TFphVXhoemVQaDhHNnlvbGEwL1h3bzMyY1R1bFFs?= =?utf-8?B?ZWhoc1VMREFSN1BzcW1OcXBuOHI4amIxZ2F5ZlRZeG51OUQ5NWR1NnYyWGk1?= =?utf-8?B?bXNtOVN5Y2o2Y3Y0d2ZqeWtJZ0dNeWNhNnZ6OGxjZXJKaUI0bllXWFZnMHVV?= =?utf-8?B?RzAvdWU1dkhrYmlNVGcyTkJ1SXE4Zmo0QVRwMVU1WUxkeDcxcGJNVDIrMmNn?= =?utf-8?B?SWs4QWxDNExJRTVVckhTQTNsbVJGa1ZnaXRnUGRCK1p5ZEZhYjdZelloaE1P?= =?utf-8?B?ZWlMSGJmZzZHZG1uWEFVdmhiaFBBcDBUeWx4ZnF0dkVyckIxQzJ4N2tGdGEr?= =?utf-8?B?MkZUMCtiVlNoUmphRXM1b25vQThLZDIvQ3RROERMTW1OV1hjMC9KcFZGQWFk?= =?utf-8?B?c1R5S29PUHpMQU9yU3NKWnN2Q1NGL1pIT3R0bmFoNEROdUtrWUlRTXJaR1Zo?= =?utf-8?B?MVpXYnptYm1FWVI3RTJROGpTaFkxaEJiejVUUm44OERteGpSbkF1Z3FhdUZE?= =?utf-8?B?Z0dUY2w2RkFuYldtRWlJUUFMMWRHMlFYU1hvcjFObTBOSjdpb3JSSkUyMmRS?= =?utf-8?Q?b/vhC4egp9k=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ5PPFF6E64BC2C.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(7416014)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?dHEycWVBVUhTSlFmZDVvOFlmbCsrTjdBL1lib09Dc2gwZDlML2t5MjRWNDR0?= =?utf-8?B?TTZIdzR0QXNpb0U4M2I0TXUrS1k2cmx3MC9ybmp6L1ZrVzJWOU5vNWFESVND?= =?utf-8?B?bVdQSEFYTlRhQVlUbnRZV3YrNnR1QnpwRWdSWXgzVlE1SXpVaVJlU1BQSGxN?= =?utf-8?B?L21sa29UTnFIdFlBRXBkeXJIZG5ZbkhQRGNwVlhYaDVtSGszZmlRemZONU5j?= =?utf-8?B?RTVQWitxbTVCekUvRVdrV0txSkR4WUZJWjlxQzNzVzA1Y29TcWJid1IvcU5S?= =?utf-8?B?Z1lJRFR4VTkybDNNZTdzR2JVR3RiNW4rVE1ocG1OWnZFN2lqeTZnZ0s2eHpJ?= =?utf-8?B?dGltT2NpVHpyS1lQVTQ2RWlJb1NlTkppaTJ4engydmRDL01NUlAremxJWUpB?= =?utf-8?B?cXNzNXR1UmRyVmw1Q055ekduWFlCRDlFYXNMWFJ2VHdlQUpMdk50NUFueWt2?= =?utf-8?B?QW1iWXpTUVh4TXJtNUNVSHZaNU5UOFd6T3RUWjc1akJRNkUyNUxsL01wL05t?= =?utf-8?B?N290Q203MTUrTHFrV1BZSmJWaExoNkxYNkF1VjZua2lQNjVjSXVaaUdQMXdU?= =?utf-8?B?Ujd2VjhGVmZpZTJUcmcwWnlsb3dKYkFYVGkrcVMySUdTODdCK2JFdHRWNVl5?= =?utf-8?B?cHNWM0tFejVYdVdDcXdWMzdyanJ5d2F4aUhFVE9UOXJFam9WV2xHWDZFbG9k?= =?utf-8?B?NDBzUnhkVDFYRVZOckk0amxEYzZNeWkrNVdETXJFeFozMEhTSy9PQ3RJbUs4?= =?utf-8?B?M2l0SFBUODNvYUliT1hyZ3hnV1h4VXV3dFQweHZMZnlUa1c4M1Q1c2pXUGF3?= =?utf-8?B?MERzMFpqemdVVG8zdndkRk9haFZCK2N6cmdHNVVzZGp4emhsS1JHeWdhSlJl?= =?utf-8?B?NTEvcytNeFg0RmVSRkdYd2VYVE9sWGJGb0xsNjZmT21UOW9VLzV3QTZ3ZUhz?= =?utf-8?B?dENzRFZoR2cyYjlWc1pYd2lVeHJVUiswd2dSblBqa3lGcGNmYSsvTnVXZkxy?= =?utf-8?B?RzU3ZXZhRUVqaU9mb1lZakM5WGVoTkRVTnVybXpjcnpVTjh1RUV0Znd2azgv?= =?utf-8?B?V1FHSWNHanNBQUZPOEkraHp0T2dUSjR5czJXTFFzT0dXYzhlS1B0TnNiMDZG?= =?utf-8?B?Q1F2MWZ5L2xBenRsNEJlYS9keFdEUUJzTjlKVjJGMGNOdkdwenlxS1hTWEJi?= =?utf-8?B?U0JtcFVSWnpMdXVzajZxVlB2MVdkNUNrNmUveFFFbElVeWN3Rkhtdi84UlZh?= =?utf-8?B?Vlk5T0xaVDZhajc1aHBUbTNpY3JLdzdSUjRJMHNuQjkwQ3AxYmpoeTBVNjJ0?= =?utf-8?B?OE9mQ1d3OTEvVGpYeVFJaFgvV2U2RFZPRUFMQVRKaXJaYnZiUExYS2tYUFBB?= =?utf-8?B?VDRUK0xZMm85T0dhMFh5cFVDZ1Vzc0s0blpKVERVMTRQcGM1RmxWMUZHcEcr?= =?utf-8?B?RE9EZDVwSEpZOWZsdWJuL3hSMnF3QUo5QkdIeUhNK2ZCREdGdlJNNi9HUXdM?= =?utf-8?B?V1dVZjBQTUZMSWpYT0hKRVVzK2ppdnlONno4Zkpaako0WWVDRHVHVzlrVzNv?= =?utf-8?B?UDVnOTZwbi9NTHZud2V0VmxvbkJSeUhCWktvejFlbzFoa0NCVGNuU2ExU3lo?= =?utf-8?B?c0l4VmQ3MldrN0d3ckxXMUJHWVBTMTdaZXdBT2pBdHVEN2N6MWhJYjQ3bHBH?= =?utf-8?B?eHF0L3NuTmNQTVdCT0h2MHQ3Y0IvSHhMK1ZRcEw2OEhIeWgwc1N5dlRRUTdq?= =?utf-8?B?MzczZjl5eVZGS3RBVW13bG1RT2plVVNaVFo4MHFHY3JXdVZOVVJWdG1SUnpM?= =?utf-8?B?UDNSTVJwSXdGTXZYUUhnbi9yUWNSSE5IUXNsT0hYWHBEcmJqNDAvWkJvTkk0?= =?utf-8?B?Y1dMdThHalEyYVRjL2RoaS8xQ1ZTdlFjdUduR0U2ZFpua0p4SUxrSTg0ZTh6?= =?utf-8?B?ZTM5S01EcEtXNmhRZGU3RnkrMEM4MGkzZndRcy82QzdzNTFVTUtrTVZwVnFp?= =?utf-8?B?M2c3K05BQjhoT1JRVDVwUzZkK0wwZmxBMkVzOGdYL0tIWXlDZDlSYkd4VDFr?= =?utf-8?B?Y0FTbW9QaW9xTTgxSVZjd2FIMk1UdnJLWHBsUEJwdCsrUUxva1lIczlORE9B?= =?utf-8?Q?oc+so9vtQNhOFy0h0G5oDQR7r?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 84aaf0b9-30c9-499a-5327-08ddbae753e5 X-MS-Exchange-CrossTenant-AuthSource: SA5PPFF1E6547B5.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jul 2025 10:41:27.6989 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uqf4nUg5UHBbBXNySsH40k2lE4AQlyWsDviNL9QBoFXYtyxDRkhZQF3QMQL7mAwmt/RLnUukd5BQMbAYEBZPjA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5866 X-Stat-Signature: tebqzajt3r5kb8ja44zzzjun8fftbf8d X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: F39A1C000C X-HE-Tag: 1751625690-685348 X-HE-Meta: U2FsdGVkX18/iRSVSbxBu2bGIGsrO8H1MB0jrPeBzUg7lnV2H2LGCJxMOo54v7kFePd6mBnHMCiZr/REOUjOfi7h2fEF3DD9e4re2qjQOAXcWGEK6gFtbh2xq4zU4XEHWat0MsBsyctUeqsCHlu2GdnxJhUMH7VG05rBRcnx1BlLiYGxYB/KYcqJS7WjZeMqFiX6d3KIbjhII/4fi9z7AHGUTVGjRVJRmRLxQ7USsa+rql13Gm+uIf1cIbvGiocUI13zlkVJrIY66U0/4oNyO4RaI0kVqt4eqIAoWmsQSJmbGGIoV29fDvUK6KHZLMsVJgM72efu+LvKA+Qa7wOL7rOK9SwUFXe6zwtit1eWW/vq2nf/sQvdcrJgEb91s8cwOLe+IZKs6eUo7/6yyWigeoWfixf0ZhPy6N+Wu/Ji4MSGH94o/vvy0z4AaU2YUbRvW0Z+aD6YvQawD5+ZVf1BTw0lFXHuBCJaxPJmaPmpqp6ytQW+Tuy8p/1FdRwgTc3Ub/ajMfYuyH4gLY9+4W2yvOZ8ONFnE1p89GQG1q/agwIXLwV8KSRKhkk4FJy8fhP5XCBn+3ShG4XRrVeN45rsrt8XhPGGnvLF22xPY9mL4WEUL0qqJSP9k7EkaCcn0r+1jHPyYfgnimSiyQjDtxUaSjRS6nnPS9gNNeTJkbdhakWJAQfmGJem8FAOX95YmbJ3gXVTfZOepvC/pyp7dd5G4SKhTC4ao/7TURki/Je9sSazsPx3OHpD8FRCAFFzmi4aXF0mG1L3HhK3RECYQUjU0pK38foEo6FnuUE7kaB5drB4zDGy/q5Js2vIY+jLxK5kRRaIvZDuRpwgCsz5pzkcxPhmmalS1+WFAlqhoAKPpx9bxaogNrEUAtnzwaWArj20j2dSfUXWizlyf4RHL2/9wJh47CLRqX0gUj4UsZRDJ0B+dZNyXph2IwdGW/5Qpja1d9fD5AcPBX6yUNJ2Zg8 +gRXtChI FI07lCNbaAmhUzHlmi2Q6kweY+7kTgGSuQ9IlA8Ijo8UmpH4VHoWJUsdxOOgvt6A7cEcZVELjKSkn+r9A3YFTYzW3tZXYVHucyzMbI744u9xc76PlgnZdE49ELL+2N2C7H06Z+zYGZPfx/rp4nUQNgBhGui7iPSVm9jij187nVXttcvh3HP697Q4mtJSt1ZhTIV2PHRpwoqBhvYNrwUODQanm+tF7QYNFC8x5oksEhzI7FfaHOmim6iC5AP4HCUm6MbIsRnrCsBwHdO23zxaNFxe0T3LjQb6H9Wbl004qTJ1a7FZRT7NtgJw40lLG43ghcGyJn+DT9fnTGjI308TZrzW2nQI0pVkRSD+9bhECIQpmvPQj9UFli2luNq8ZAQxwRFLXL/bQ3FMGoxeYOBL/bEwrAFrFezACFcW6WjmJfiLhxv4CNdThWav+gz6L9lILYXCHiDimUgBNE9iyqCEyD8kgnpOaBe+dNtrmosgz55BC/JZrxmtwo7v1/1KG11oXxGiyKfxqbv9mgO5H/8nx9AIXHimahXEBy1Ky9QQpRBn+yYM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 7/3/2025 7:43 AM, Paul Moore wrote: > On Jun 26, 2025 Shivank Garg wrote: > ... > Thanks again for your continued work on this! I think the patch looks > pretty reasonable, but it would be good to hear a bit about how you've > tested this before ACK'ing the patch. For example, have you tested this > against any of the LSMs which provide anonymous inode support? > > At the very least, the selinux-testsuite has a basic secretmem test, it > would be good to know if the test passes with this patch or if any > additional work is needed to ensure compatibility. > > https://github.com/SELinuxProject/selinux-testsuite Hi Paul, Thank you for pointing me to the selinux-testsuite. I wasn't sure how to properly test this patch, so your guidance was very helpful. With the current test policy (test_secretmem.te), I initially encountered the following failures: ~/selinux-testsuite/tests/secretmem# ./test memfd_secret() failed: Permission denied 1..6 memfd_secret() failed: Permission denied ok 1 ftruncate failed: Permission denied unable to mmap secret memory: Permission denied not ok 2 # Failed test at ./test line 23. ftruncate failed: Permission denied unable to mmap secret memory: Permission denied ok 3 ftruncate failed: Permission denied unable to mmap secret memory: Permission denied ok 4 memfd_secret() failed: Permission denied ok 5 ftruncate failed: Permission denied unable to mmap secret memory: Permission denied not ok 6 # Failed test at ./test line 37. # Looks like you failed 2 tests of 6. Using ausearch -m avc, I found denials for create, write, map. For instance: avc: denied { create } for pid=11956 comm="secretmem" anonclass=[secretmem] ... To resolve this, I updated test_secretmem.te to add additional required permissions {create, read, write, map} With this change, all tests now pass successfully: diff --git a/policy/test_secretmem.te b/policy/test_secretmem.te index 357f41d..4cce076 100644 --- a/policy/test_secretmem.te +++ b/policy/test_secretmem.te @@ -13,12 +13,12 @@ testsuite_domain_type_minimal(test_nocreate_secretmem_t) # Domain allowed to create secret memory with the own domain type type test_create_secretmem_t; testsuite_domain_type_minimal(test_create_secretmem_t) -allow test_create_secretmem_t self:anon_inode create; +allow test_create_secretmem_t self:anon_inode { create read write map }; # Domain allowed to create secret memory with the own domain type and allowed to map WX type test_create_wx_secretmem_t; testsuite_domain_type_minimal(test_create_wx_secretmem_t) -allow test_create_wx_secretmem_t self:anon_inode create; +allow test_create_wx_secretmem_t self:anon_inode { create read write map }; allow test_create_wx_secretmem_t self:process execmem; # Domain not allowed to create secret memory via a type transition to a private type @@ -30,4 +30,4 @@ type_transition test_nocreate_transition_secretmem_t test_nocreate_transition_se type test_create_transition_secretmem_t; testsuite_domain_type_minimal(test_create_transition_secretmem_t) type_transition test_create_transition_secretmem_t test_create_transition_secretmem_t:anon_inode test_secretmem_inode_t "[secretmem]"; -allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode create; +allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode { create read write map }; Does this approach look correct to you? Please let me know if my understanding makes sense and what should be my next step for patch. Thanks, Shivank