From: Fuad Tabba <tabba@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
"Oliver Upton" <oliver.upton@linux.dev>,
"Huacai Chen" <chenhuacai@kernel.org>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Anup Patel" <anup@brainfault.org>,
"Paul Walmsley" <paul.walmsley@sifive.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Sean Christopherson" <seanjc@google.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.linux.dev, linux-mips@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org,
linux-riscv@lists.infradead.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"Xiaoyao Li" <xiaoyao.li@intel.com>,
"Xu Yilun" <yilun.xu@intel.com>,
"Chao Peng" <chao.p.peng@linux.intel.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Anish Moorthy" <amoorthy@google.com>,
"David Matlack" <dmatlack@google.com>,
"Yu Zhang" <yu.c.zhang@linux.intel.com>,
"Isaku Yamahata" <isaku.yamahata@intel.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Vishal Annapurve" <vannapurve@google.com>,
"Ackerley Tng" <ackerleytng@google.com>,
"Maciej Szmigiero" <mail@maciej.szmigiero.name>,
"David Hildenbrand" <david@redhat.com>,
"Quentin Perret" <qperret@google.com>,
"Michael Roth" <michael.roth@amd.com>,
Wang <wei.w.wang@intel.com>,
"Liam Merwick" <liam.merwick@oracle.com>,
"Isaku Yamahata" <isaku.yamahata@gmail.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH 14/34] fs: Rename anon_inode_getfile_secure() and anon_inode_getfd_secure()
Date: Mon, 6 Nov 2023 11:41:33 +0000 [thread overview]
Message-ID: <CA+EHjTwJyiyUnQpMZedqBa1QVdURH4C0ZcJ1nUY7TmuMjppReg@mail.gmail.com> (raw)
In-Reply-To: <20231105163040.14904-15-pbonzini@redhat.com>
On Sun, Nov 5, 2023 at 4:32 PM Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> The call to the inode_init_security_anon() LSM hook is not the sole
> reason to use anon_inode_getfile_secure() or anon_inode_getfd_secure().
> For example, the functions also allow one to create a file with non-zero
> size, without needing a full-blown filesystem. In this case, you don't
> need a "secure" version, just unique inodes; the current name of the
> functions is confusing and does not explain well the difference with
> the more "standard" anon_inode_getfile() and anon_inode_getfd().
>
> Of course, there is another side of the coin; neither io_uring nor
> userfaultfd strictly speaking need distinct inodes, and it is not
> that clear anymore that anon_inode_create_get{file,fd}() allow the LSM
> to intercept and block the inode's creation. If one was so inclined,
> anon_inode_getfile_secure() and anon_inode_getfd_secure() could be kept,
> using the shared inode or a new one depending on CONFIG_SECURITY.
> However, this is probably overkill, and potentially a cause of bugs in
> different configurations. Therefore, just add a comment to io_uring
> and userfaultfd explaining the choice of the function.
>
> While at it, remove the export for what is now anon_inode_create_getfd().
> There is no in-tree module that uses it, and the old name is gone anyway.
> If anybody actually needs the symbol, they can ask or they can just use
> anon_inode_create_getfile(), which will be exported very soon for use
> in KVM.
>
> Suggested-by: Christian Brauner <brauner@kernel.org>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
Reviewed-by: Fuad Tabba <tabba@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Cheers,
/fuad
> fs/anon_inodes.c | 46 +++++++++++++++++++++++--------------
> fs/userfaultfd.c | 5 ++--
> include/linux/anon_inodes.h | 4 ++--
> io_uring/io_uring.c | 3 ++-
> 4 files changed, 36 insertions(+), 22 deletions(-)
>
> diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
> index 24192a7667ed..3d4a27f8b4fe 100644
> --- a/fs/anon_inodes.c
> +++ b/fs/anon_inodes.c
> @@ -79,7 +79,7 @@ static struct file *__anon_inode_getfile(const char *name,
> const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode,
> - bool secure)
> + bool make_inode)
> {
> struct inode *inode;
> struct file *file;
> @@ -87,7 +87,7 @@ static struct file *__anon_inode_getfile(const char *name,
> if (fops->owner && !try_module_get(fops->owner))
> return ERR_PTR(-ENOENT);
>
> - if (secure) {
> + if (make_inode) {
> inode = anon_inode_make_secure_inode(name, context_inode);
> if (IS_ERR(inode)) {
> file = ERR_CAST(inode);
> @@ -149,13 +149,10 @@ struct file *anon_inode_getfile(const char *name,
> EXPORT_SYMBOL_GPL(anon_inode_getfile);
>
> /**
> - * anon_inode_getfile_secure - Like anon_inode_getfile(), but creates a new
> + * anon_inode_create_getfile - Like anon_inode_getfile(), but creates a new
> * !S_PRIVATE anon inode rather than reuse the
> * singleton anon inode and calls the
> - * inode_init_security_anon() LSM hook. This
> - * allows for both the inode to have its own
> - * security context and for the LSM to enforce
> - * policy on the inode's creation.
> + * inode_init_security_anon() LSM hook.
> *
> * @name: [in] name of the "class" of the new file
> * @fops: [in] file operations for the new file
> @@ -164,11 +161,19 @@ EXPORT_SYMBOL_GPL(anon_inode_getfile);
> * @context_inode:
> * [in] the logical relationship with the new inode (optional)
> *
> + * Create a new anonymous inode and file pair. This can be done for two
> + * reasons:
> + * - for the inode to have its own security context, so that LSMs can enforce
> + * policy on the inode's creation;
> + * - if the caller needs a unique inode, for example in order to customize
> + * the size returned by fstat()
> + *
> * The LSM may use @context_inode in inode_init_security_anon(), but a
> - * reference to it is not held. Returns the newly created file* or an error
> - * pointer. See the anon_inode_getfile() documentation for more information.
> + * reference to it is not held.
> + *
> + * Returns the newly created file* or an error pointer.
> */
> -struct file *anon_inode_getfile_secure(const char *name,
> +struct file *anon_inode_create_getfile(const char *name,
> const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode)
> @@ -181,7 +186,7 @@ static int __anon_inode_getfd(const char *name,
> const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode,
> - bool secure)
> + bool make_inode)
> {
> int error, fd;
> struct file *file;
> @@ -192,7 +197,7 @@ static int __anon_inode_getfd(const char *name,
> fd = error;
>
> file = __anon_inode_getfile(name, fops, priv, flags, context_inode,
> - secure);
> + make_inode);
> if (IS_ERR(file)) {
> error = PTR_ERR(file);
> goto err_put_unused_fd;
> @@ -231,10 +236,9 @@ int anon_inode_getfd(const char *name, const struct file_operations *fops,
> EXPORT_SYMBOL_GPL(anon_inode_getfd);
>
> /**
> - * anon_inode_getfd_secure - Like anon_inode_getfd(), but creates a new
> + * anon_inode_create_getfd - Like anon_inode_getfd(), but creates a new
> * !S_PRIVATE anon inode rather than reuse the singleton anon inode, and calls
> - * the inode_init_security_anon() LSM hook. This allows the inode to have its
> - * own security context and for a LSM to reject creation of the inode.
> + * the inode_init_security_anon() LSM hook.
> *
> * @name: [in] name of the "class" of the new file
> * @fops: [in] file operations for the new file
> @@ -243,16 +247,24 @@ EXPORT_SYMBOL_GPL(anon_inode_getfd);
> * @context_inode:
> * [in] the logical relationship with the new inode (optional)
> *
> + * Create a new anonymous inode and file pair. This can be done for two
> + * reasons:
> + * - for the inode to have its own security context, so that LSMs can enforce
> + * policy on the inode's creation;
> + * - if the caller needs a unique inode, for example in order to customize
> + * the size returned by fstat()
> + *
> * The LSM may use @context_inode in inode_init_security_anon(), but a
> * reference to it is not held.
> + *
> + * Returns a newly created file descriptor or an error code.
> */
> -int anon_inode_getfd_secure(const char *name, const struct file_operations *fops,
> +int anon_inode_create_getfd(const char *name, const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode)
> {
> return __anon_inode_getfd(name, fops, priv, flags, context_inode, true);
> }
> -EXPORT_SYMBOL_GPL(anon_inode_getfd_secure);
>
> static int __init anon_inode_init(void)
> {
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index 56eaae9dac1a..7a1cf8bab5eb 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1033,7 +1033,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new,
> {
> int fd;
>
> - fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new,
> + fd = anon_inode_create_getfd("[userfaultfd]", &userfaultfd_fops, new,
> O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
> if (fd < 0)
> return fd;
> @@ -2205,7 +2205,8 @@ static int new_userfaultfd(int flags)
> /* prevent the mm struct to be freed */
> mmgrab(ctx->mm);
>
> - fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx,
> + /* Create a new inode so that the LSM can block the creation. */
> + fd = anon_inode_create_getfd("[userfaultfd]", &userfaultfd_fops, ctx,
> O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
> if (fd < 0) {
> mmdrop(ctx->mm);
> diff --git a/include/linux/anon_inodes.h b/include/linux/anon_inodes.h
> index 5deaddbd7927..93a5f16d03f3 100644
> --- a/include/linux/anon_inodes.h
> +++ b/include/linux/anon_inodes.h
> @@ -15,13 +15,13 @@ struct inode;
> struct file *anon_inode_getfile(const char *name,
> const struct file_operations *fops,
> void *priv, int flags);
> -struct file *anon_inode_getfile_secure(const char *name,
> +struct file *anon_inode_create_getfile(const char *name,
> const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode);
> int anon_inode_getfd(const char *name, const struct file_operations *fops,
> void *priv, int flags);
> -int anon_inode_getfd_secure(const char *name,
> +int anon_inode_create_getfd(const char *name,
> const struct file_operations *fops,
> void *priv, int flags,
> const struct inode *context_inode);
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 8d1bc6cdfe71..22b98f47bb28 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -3835,7 +3835,8 @@ static struct file *io_uring_get_file(struct io_ring_ctx *ctx)
> return ERR_PTR(ret);
> #endif
>
> - file = anon_inode_getfile_secure("[io_uring]", &io_uring_fops, ctx,
> + /* Create a new inode so that the LSM can block the creation. */
> + file = anon_inode_create_getfile("[io_uring]", &io_uring_fops, ctx,
> O_RDWR | O_CLOEXEC, NULL);
> #if defined(CONFIG_UNIX)
> if (IS_ERR(file)) {
> --
> 2.39.1
>
>
next prev parent reply other threads:[~2023-11-06 11:42 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-05 16:30 [PATCH v14 00/34] KVM: guest_memfd() and per-page attributes Paolo Bonzini
2023-11-05 16:30 ` [PATCH 01/34] KVM: Tweak kvm_hva_range and hva_handler_t to allow reusing for gfn ranges Paolo Bonzini
2023-11-06 9:28 ` Huang, Kai
2023-11-05 16:30 ` [PATCH 02/34] KVM: Assert that mmu_invalidate_in_progress *never* goes negative Paolo Bonzini
2023-11-06 9:29 ` Huang, Kai
2023-11-05 16:30 ` [PATCH 03/34] KVM: Use gfn instead of hva for mmu_notifier_retry Paolo Bonzini
2023-11-06 9:29 ` Huang, Kai
2023-11-05 16:30 ` [PATCH 04/34] KVM: WARN if there are dangling MMU invalidations at VM destruction Paolo Bonzini
2023-11-05 16:30 ` [PATCH 05/34] KVM: PPC: Drop dead code related to KVM_ARCH_WANT_MMU_NOTIFIER Paolo Bonzini
2023-11-05 16:30 ` [PATCH 06/34] KVM: PPC: Return '1' unconditionally for KVM_CAP_SYNC_MMU Paolo Bonzini
2023-11-05 16:30 ` [PATCH 07/34] KVM: Convert KVM_ARCH_WANT_MMU_NOTIFIER to CONFIG_KVM_GENERIC_MMU_NOTIFIER Paolo Bonzini
2023-11-05 16:30 ` [PATCH 08/34] KVM: Introduce KVM_SET_USER_MEMORY_REGION2 Paolo Bonzini
2023-11-06 9:27 ` Huang, Kai
2023-11-07 5:47 ` Yuan Yao
2023-11-05 16:30 ` [PATCH 09/34] KVM: Add KVM_EXIT_MEMORY_FAULT exit to report faults to userspace Paolo Bonzini
2023-11-06 10:23 ` Fuad Tabba
2023-11-09 7:30 ` Xiaoyao Li
2023-11-05 16:30 ` [PATCH 10/34] KVM: Add a dedicated mmu_notifier flag for reclaiming freed memory Paolo Bonzini
2023-11-05 16:30 ` [PATCH 11/34] KVM: Drop .on_unlock() mmu_notifier hook Paolo Bonzini
2023-11-05 16:30 ` [PATCH 12/34] KVM: Introduce per-page memory attributes Paolo Bonzini
2023-11-06 10:39 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 13/34] mm: Add AS_UNMOVABLE to mark mapping as completely unmovable Paolo Bonzini
2023-11-05 16:30 ` [PATCH 14/34] fs: Rename anon_inode_getfile_secure() and anon_inode_getfd_secure() Paolo Bonzini
2023-11-06 11:41 ` Fuad Tabba [this message]
2023-11-06 15:16 ` Christian Brauner
2023-11-05 16:30 ` [PATCH 15/34] KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory Paolo Bonzini
2023-11-06 10:51 ` Fuad Tabba
2023-11-10 1:53 ` Xiaoyao Li
2023-11-10 18:22 ` Sean Christopherson
2023-11-13 3:37 ` Xiaoyao Li
2025-10-03 17:23 ` Nikita Kalyazin
2025-10-07 13:58 ` Sean Christopherson
2023-11-05 16:30 ` [PATCH 16/34] KVM: x86: "Reset" vcpu->run->exit_reason early in KVM_RUN Paolo Bonzini
2023-11-10 8:49 ` Xiaoyao Li
2023-11-05 16:30 ` [PATCH 17/34] KVM: x86: Disallow hugepages when memory attributes are mixed Paolo Bonzini
2023-11-05 16:30 ` [PATCH 18/34] KVM: x86/mmu: Handle page fault for private memory Paolo Bonzini
2023-11-06 10:54 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 19/34] KVM: Drop superfluous __KVM_VCPU_MULTIPLE_ADDRESS_SPACE macro Paolo Bonzini
2023-11-05 16:30 ` [PATCH 20/34] KVM: Allow arch code to track number of memslot address spaces per VM Paolo Bonzini
2023-11-05 16:30 ` [PATCH 21/34] KVM: x86: Add support for "protected VMs" that can utilize private memory Paolo Bonzini
2023-11-06 11:01 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 22/34] KVM: selftests: Drop unused kvm_userspace_memory_region_find() helper Paolo Bonzini
2023-11-06 11:02 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 23/34] KVM: selftests: Convert lib's mem regions to KVM_SET_USER_MEMORY_REGION2 Paolo Bonzini
2023-11-06 11:03 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 24/34] KVM: selftests: Add support for creating private memslots Paolo Bonzini
2023-11-06 11:09 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 25/34] KVM: selftests: Add helpers to convert guest memory b/w private and shared Paolo Bonzini
2023-11-06 11:24 ` Fuad Tabba
2023-11-06 16:13 ` Sean Christopherson
2023-11-06 16:24 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 26/34] KVM: selftests: Add helpers to do KVM_HC_MAP_GPA_RANGE hypercalls (x86) Paolo Bonzini
2023-11-06 11:44 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 27/34] KVM: selftests: Introduce VM "shape" to allow tests to specify the VM type Paolo Bonzini
2023-11-06 11:54 ` Fuad Tabba
2023-11-06 16:04 ` Sean Christopherson
2023-11-06 16:17 ` Fuad Tabba
2023-11-08 17:00 ` Anish Moorthy
2023-11-08 23:37 ` Anish Moorthy
2023-11-09 8:25 ` Paolo Bonzini
2023-11-05 16:30 ` [PATCH 28/34] KVM: selftests: Add GUEST_SYNC[1-6] macros for synchronizing more data Paolo Bonzini
2023-11-06 11:44 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 29/34] KVM: selftests: Add x86-only selftest for private memory conversions Paolo Bonzini
2023-11-05 16:30 ` [PATCH 30/34] KVM: selftests: Add KVM_SET_USER_MEMORY_REGION2 helper Paolo Bonzini
2023-11-07 12:54 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 31/34] KVM: selftests: Expand set_memory_region_test to validate guest_memfd() Paolo Bonzini
2023-11-06 14:26 ` Paolo Bonzini
2023-11-05 16:30 ` [PATCH 32/34] KVM: selftests: Add basic selftest for guest_memfd() Paolo Bonzini
2023-11-07 13:07 ` Fuad Tabba
2023-11-16 21:00 ` Ackerley Tng
2023-11-05 16:30 ` [PATCH 33/34] KVM: selftests: Test KVM exit behavior for private memory/access Paolo Bonzini
2023-11-07 14:38 ` Fuad Tabba
2023-11-05 16:30 ` [PATCH 34/34] KVM: selftests: Add a memory region subtest to validate invalid flags Paolo Bonzini
2023-11-09 1:08 ` Anish Moorthy
2023-11-09 8:54 ` Fuad Tabba
2023-11-20 14:09 ` Mark Brown
2023-11-21 17:00 ` Paolo Bonzini
2023-11-05 16:30 ` [PATCH 35/34] KVM: Prepare for handling only shared mappings in mmu_notifier events Paolo Bonzini
2023-11-05 16:30 ` [PATCH 36/34] KVM: Add transparent hugepage support for dedicated guest memory Paolo Bonzini
2023-11-13 12:21 ` [PATCH v14 00/34] KVM: guest_memfd() and per-page attributes Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+EHjTwJyiyUnQpMZedqBa1QVdURH4C0ZcJ1nUY7TmuMjppReg@mail.gmail.com \
--to=tabba@google.com \
--cc=ackerleytng@google.com \
--cc=akpm@linux-foundation.org \
--cc=amoorthy@google.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=brauner@kernel.org \
--cc=chao.p.peng@linux.intel.com \
--cc=chenhuacai@kernel.org \
--cc=david@redhat.com \
--cc=dmatlack@google.com \
--cc=isaku.yamahata@gmail.com \
--cc=isaku.yamahata@intel.com \
--cc=jarkko@kernel.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm-riscv@lists.infradead.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=liam.merwick@oracle.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mail@maciej.szmigiero.name \
--cc=maz@kernel.org \
--cc=mic@digikod.net \
--cc=michael.roth@amd.com \
--cc=mpe@ellerman.id.au \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=qperret@google.com \
--cc=seanjc@google.com \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=wei.w.wang@intel.com \
--cc=willy@infradead.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=yu.c.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox