From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C77C6C5B543 for ; Wed, 4 Jun 2025 21:13:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0BF168D0053; Wed, 4 Jun 2025 17:13:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F3F788D0007; Wed, 4 Jun 2025 17:13:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E034F8D0053; Wed, 4 Jun 2025 17:13:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id BF2728D0007 for ; Wed, 4 Jun 2025 17:13:50 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 4B56FEDFA5 for ; Wed, 4 Jun 2025 21:13:50 +0000 (UTC) X-FDA: 83518970220.27.6DEFCE5 Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com [209.85.219.173]) by imf16.hostedemail.com (Postfix) with ESMTP id EADEC180012 for ; Wed, 4 Jun 2025 21:13:47 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=VSPoMwvf; spf=pass (imf16.hostedemail.com: domain of paul@paul-moore.com designates 209.85.219.173 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749071628; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RFILvALIoE88+amXnoIecD1FsclDUOa9FdnGICXctS8=; b=jGWs5MHKpfrbfdRqzz01pur6LUzuFfpjXH8Gi0KBKLI5I4M2kKvNlr0MtjEXuygottzMN0 0gQLLYH3kPUgHf5TkpbkR/ai4Wh7t0JUKiWrkMZmC57WAYTImnO9P09FWGZK81hA0igdLA uL0SQUe3iw4V0/iVYCEZH47Q3ikJAkQ= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=VSPoMwvf; spf=pass (imf16.hostedemail.com: domain of paul@paul-moore.com designates 209.85.219.173 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749071628; a=rsa-sha256; cv=none; b=a+RrqnJw3sWkTJiHo5w3ij/tr9tlomYrPTeaR62OIcVHc5G9hTjNS1m/dzf2MBmbqyu+oT ci65BmyG49O8qXavMBOF5jYWwkQeCjGxTqcKCk2LAtvOHwmCZCcSOsJKvkt0nIhBBtfLHK xDVFbTtyJmCLvwnE8hnljrqbh2azZms= Received: by mail-yb1-f173.google.com with SMTP id 3f1490d57ef6-e818a57287eso67663276.3 for ; Wed, 04 Jun 2025 14:13:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1749071627; x=1749676427; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=RFILvALIoE88+amXnoIecD1FsclDUOa9FdnGICXctS8=; b=VSPoMwvf9eK/FWqqbIyZGbuam0Y2watFwHclNKhhQZgmGhgv56v1IMiC6YQshOIFAD Fth88X3EuQWiEmhpZxi3PHJLRMzawSoUSU4AsXcDZwqd74QkE8HLgCZnFSPGEEg0fpUc rdzhTJkQHqo2jvUTF5uG8XEzEBDhJH5pLnK4vi/ZFA7HqLNerp3tzBwpmzCPrecsuEds T/pLZ5IXw+/TyQ6tQvyyQrs2iWAP9qUxKbK+2Vzz+OuBfqvTeDlHTgRCqTT2p9nC5hnf 0DU8Away87e8oMIb/mC0YezCptcozD5r7jgDj0V4fkuflkpnaXFDrQOx/EJTbkhUFfDC W6FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749071627; x=1749676427; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RFILvALIoE88+amXnoIecD1FsclDUOa9FdnGICXctS8=; b=q/6ws61rAe/EAz8eOAs9YVrh2+eojxbaS4LUJh/n0UpvHwARdenEseBTo2swbCj4ZV 9MfDtf0lTY8Equjw+Ilhf+J3rhvIYMa05vxAIyoo4rdo61vhttR/DxtMuBrb4NIfcP5F CS1ntPpSv4L6GgcCRt5CD4B4MunpBX+P7yBOPmrwHjRGfbjM6T8wAxBHXD4LfCTIHCB4 aS4yBXCjXc2AG5uL3x/YjwhZmYA7KG5aVK56UxYKcV2BNwOSS0eHolr5x33E1J3LLWpV qSkShdXTJTXmYZQ9cWUhHg0vHOvyQ8uDaeqJodV9rn+xexoRiNrZ3YIBwaB6NsWWNGEC uFYw== X-Forwarded-Encrypted: i=1; AJvYcCWNed4Zo/XpX9QqTE3+BimMvz/m7rDY8caKx8j8W5WrZeMti1HLaKXqUSm+nSB6rzwn1exr9dTx9w==@kvack.org X-Gm-Message-State: AOJu0Yy7LtrR0PuFcKix0h4nBT23ScAPyf795WXbSstEUleA8SFWVYkm PAVvdaUWdDSOoyrCXy/F+Hb7YMoAMG9JItrrGMn8+3Aeb20Fc2Ke+EUmgo58M2z22fiWD+lOqbi 4C63yHAjOF1WbwbLYcJeE62vbZww6X3cCO69A7s89 X-Gm-Gg: ASbGncsRpj1zBYzD30dTXJ1uufRyLmgGZoikmMQWVVwdsObz/Li/uoHi3wHpmRihMtq UCccJO6XpS75RutvA2HPus4DIvqlmr/f2IpoeuNSjFQ9biaYCyNLlb0UgMUrvxkQbNp5zDHA/Nh b+gNrC7e1sCmD79k4NwjENljxrU5xqhGX94XflBl7qZA8= X-Google-Smtp-Source: AGHT+IEzd3OT8v9HoRUzTyFAkQerHkAukxjDsy8RjmPaJTovfL79YwQkPcrXXduheAqGSFN+2XKJ11JKw/rxJLleniI= X-Received: by 2002:a05:6902:100c:b0:e7f:7352:bb31 with SMTP id 3f1490d57ef6-e8179d82fc0mr6218584276.39.1749071626412; Wed, 04 Jun 2025 14:13:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Wed, 4 Jun 2025 17:13:35 -0400 X-Gm-Features: AX0GCFtyTLCLuG24EDdI8wKdQSrU3K8jUJ6RM6t9O342c2DffUvgfnmfuwj20Jg Message-ID: Subject: Re: [PATCH 1/2] fs: Provide function that allocates a secure anonymous inode To: Mike Rapoport , Ackerley Tng Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-fsdevel@vger.kernel.org, aik@amd.com, ajones@ventanamicro.com, akpm@linux-foundation.org, amoorthy@google.com, anthony.yznaga@oracle.com, anup@brainfault.org, aou@eecs.berkeley.edu, bfoster@redhat.com, binbin.wu@linux.intel.com, brauner@kernel.org, catalin.marinas@arm.com, chao.p.peng@intel.com, chenhuacai@kernel.org, dave.hansen@intel.com, david@redhat.com, dmatlack@google.com, dwmw@amazon.co.uk, erdemaktas@google.com, fan.du@intel.com, fvdl@google.com, graf@amazon.com, haibo1.xu@intel.com, hch@infradead.org, hughd@google.com, ira.weiny@intel.com, isaku.yamahata@intel.com, jack@suse.cz, james.morse@arm.com, jarkko@kernel.org, jgg@ziepe.ca, jgowans@amazon.com, jhubbard@nvidia.com, jroedel@suse.de, jthoughton@google.com, jun.miao@intel.com, kai.huang@intel.com, keirf@google.com, kent.overstreet@linux.dev, kirill.shutemov@intel.com, liam.merwick@oracle.com, maciej.wieczor-retman@intel.com, mail@maciej.szmigiero.name, maz@kernel.org, mic@digikod.net, michael.roth@amd.com, mpe@ellerman.id.au, muchun.song@linux.dev, nikunj@amd.com, nsaenz@amazon.es, oliver.upton@linux.dev, palmer@dabbelt.com, pankaj.gupta@amd.com, paul.walmsley@sifive.com, pbonzini@redhat.com, pdurrant@amazon.co.uk, peterx@redhat.com, pgonda@google.com, pvorel@suse.cz, qperret@google.com, quic_cvanscha@quicinc.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, quic_svaddagi@quicinc.com, quic_tsoni@quicinc.com, richard.weiyang@gmail.com, rick.p.edgecombe@intel.com, rientjes@google.com, roypat@amazon.co.uk, seanjc@google.com, shuah@kernel.org, steven.price@arm.com, steven.sistare@oracle.com, suzuki.poulose@arm.com, tabba@google.com, thomas.lendacky@amd.com, vannapurve@google.com, vbabka@suse.cz, viro@zeniv.linux.org.uk, vkuznets@redhat.com, wei.w.wang@intel.com, will@kernel.org, willy@infradead.org, xiaoyao.li@intel.com, yan.y.zhao@intel.com, yilun.xu@intel.com, yuzenghui@huawei.com, zhiquan1.li@intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: 847b33yztyqt6k4qrs8js9ex8ht18w8x X-Rspamd-Queue-Id: EADEC180012 X-Rspam-User: X-Rspamd-Server: rspam02 X-HE-Tag: 1749071627-288199 X-HE-Meta: U2FsdGVkX1/8gdWC/qGSWExblUOw+X7nNogt/o6k94HVkua6u+fyTdZGhrwQIBGqsmBtdYSOEQQfzAuDJYzBQTwk8/CSEPKTYugqC/c/o4vIwIPG/3/R4zFFF/EQwGPqAnoicwDEKJt1Eb8jUyrKN8Pr1zRkzqkKBhpHfYLcr7LK827aLIWeRDJay9ra6Rg1iKuHQOA84pFpZEGqsCdku132JODXk9r6UoCdd+Fj2T3b0ilhO3L2VqVWWW3vRQ3OVw5qnBLplua3OWtD6tXplkGSjb+HvDJkS3JljKV5e9Ps8QjgxeAD6Frumb81Nhltgdw+U8fCIKrK2eXXUTtC2IWPO4qkvVTY3+Vonai37LB2mmKccTpxVkQhECgM9zyD3QJzghV8aF6VlK2AzL9xx3CCg5PJOGVo1vamZ5dEnV2ndlsO+6DN6LRjtfg2aUjdsBVMEIWMcxr60keu2Z8X2oKPreZEuycAwjjkrCml0BycNmv31TVdauJA/tFkYy+JTtiF5lq1dJJOao+0qcMimNtNjqdEFaOzyff7nVXZRjtX80wLgRlNH0w+rEDFfW0/C1CYXf8RX+2F09XdnAvJbxRkfg4FmrotYKSP1XQdW22Un5pidP7VpFZCnxwZ+Rx2AnhCzdBCoH8u5+1Ly3wSVgpiQDmxPQ9Xm2F4kVdGrrBW9JW6YpZL3D0wAHVAd0ZpOEkoNNOW75Sn7vc4I5SPnpaYlobawBbT0ItQ90AiUlJWJgzmmtAuPJy7NBue9cV+ARN36G4kEzFdQvdo+lsTkK4PJ0Tq04upwlwiJR0tdZrH6OPqdgPkcne+Mr8VoNIIodB7BB2oYgme3TiDKrU4ql1F4oQfKtMh+BzngGDvFOAKSXL7CSYDzPsigJthmU63VbHm7W4G/yHKLlBmd8KBl7cZpknwsPxKbWY1EgZTPLMf3nAykC854Q6Y0YAKTduMMyyT4yjx/2dhbvglYtY Uqzsu+wx owwmSfXDjiwhYiakHX7l6sI6Rc53Lgb8j8ZFhA0cMmBGUGkISw/Mu/D3AjjZHhMyGJ+KMi7+82WOnDY4vAYjFEr9IsSq4qxF+DIhq91ywQO2ihHgfyMkAb0XO7vya+2Y0iiWq6FUXaLD7Sf4ci5WslPRN6L7xTE4nKKUkPt3Q+jfxnC6wn1QzmhYq0RKzv5Gs9ndOv34aoh5HUZOHUz7kbYnKrxDdYm1Nun4MSnsLV7b1OHGbvCMPaNs9JqOd0XC31cAnV2jqZ8lpiavo32gv3XcYhZqpvXNw0Rk/SwISI6K06Mfs5NnRcNaUWT/ymrLa1vGdyzQARNxc/SY/6xODBn+N8y9sJPWsH/lbNUKUB6FLJHncDQCrBcWOab2eD4BotP/JsylU9QmgfYbyfUmxD6CJQQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jun 4, 2025 at 3:59=E2=80=AFAM Mike Rapoport wrot= e: > > (added Paul Moore for selinux bits) Thanks Mike. I'm adding the LSM and SELinux lists too since there are others that will be interested as well. > On Mon, Jun 02, 2025 at 12:17:54PM -0700, Ackerley Tng wrote: > > The new function, alloc_anon_secure_inode(), returns an inode after > > running checks in security_inode_init_security_anon(). > > > > Also refactor secretmem's file creation process to use the new > > function. > > > > Suggested-by: David Hildenbrand > > Signed-off-by: Ackerley Tng > > --- > > fs/anon_inodes.c | 22 ++++++++++++++++------ > > include/linux/fs.h | 1 + > > mm/secretmem.c | 9 +-------- > > 3 files changed, 18 insertions(+), 14 deletions(-) > > > > diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c > > index 583ac81669c2..4c3110378647 100644 > > --- a/fs/anon_inodes.c > > +++ b/fs/anon_inodes.c > > @@ -55,17 +55,20 @@ static struct file_system_type anon_inode_fs_type = =3D { > > .kill_sb =3D kill_anon_super, > > }; > > > > -static struct inode *anon_inode_make_secure_inode( > > - const char *name, > > - const struct inode *context_inode) > > +static struct inode *anon_inode_make_secure_inode(struct super_block *= s, > > + const char *name, const struct inode *context_inode, > > + bool fs_internal) > > { > > struct inode *inode; > > int error; > > > > - inode =3D alloc_anon_inode(anon_inode_mnt->mnt_sb); > > + inode =3D alloc_anon_inode(s); > > if (IS_ERR(inode)) > > return inode; > > - inode->i_flags &=3D ~S_PRIVATE; > > + > > + if (!fs_internal) > > + inode->i_flags &=3D ~S_PRIVATE; > > + > > error =3D security_inode_init_security_anon(inode, &QSTR(name), > > context_inode); > > if (error) { > > @@ -75,6 +78,12 @@ static struct inode *anon_inode_make_secure_inode( > > return inode; > > } > > > > +struct inode *alloc_anon_secure_inode(struct super_block *s, const cha= r *name) > > +{ > > + return anon_inode_make_secure_inode(s, name, NULL, true); > > +} > > +EXPORT_SYMBOL_GPL(alloc_anon_secure_inode); > > + > > static struct file *__anon_inode_getfile(const char *name, > > const struct file_operations *fo= ps, > > void *priv, int flags, > > @@ -88,7 +97,8 @@ static struct file *__anon_inode_getfile(const char *= name, > > return ERR_PTR(-ENOENT); > > > > if (make_inode) { > > - inode =3D anon_inode_make_secure_inode(name, context_inod= e); > > + inode =3D anon_inode_make_secure_inode(anon_inode_mnt->mn= t_sb, > > + name, context_inode,= false); > > if (IS_ERR(inode)) { > > file =3D ERR_CAST(inode); > > goto err; > > diff --git a/include/linux/fs.h b/include/linux/fs.h > > index 016b0fe1536e..0fded2e3c661 100644 > > --- a/include/linux/fs.h > > +++ b/include/linux/fs.h > > @@ -3550,6 +3550,7 @@ extern int simple_write_begin(struct file *file, = struct address_space *mapping, > > extern const struct address_space_operations ram_aops; > > extern int always_delete_dentry(const struct dentry *); > > extern struct inode *alloc_anon_inode(struct super_block *); > > +extern struct inode *alloc_anon_secure_inode(struct super_block *, con= st char *); > > extern int simple_nosetlease(struct file *, int, struct file_lease **,= void **); > > extern const struct dentry_operations simple_dentry_operations; > > > > diff --git a/mm/secretmem.c b/mm/secretmem.c > > index 1b0a214ee558..c0e459e58cb6 100644 > > --- a/mm/secretmem.c > > +++ b/mm/secretmem.c > > @@ -195,18 +195,11 @@ static struct file *secretmem_file_create(unsigne= d long flags) > > struct file *file; > > struct inode *inode; > > const char *anon_name =3D "[secretmem]"; > > - int err; > > > > - inode =3D alloc_anon_inode(secretmem_mnt->mnt_sb); > > + inode =3D alloc_anon_secure_inode(secretmem_mnt->mnt_sb, anon_nam= e); > > if (IS_ERR(inode)) > > return ERR_CAST(inode); > > I don't think we should not hide secretmem and guest_memfd inodes from > selinux, so clearing S_PRIVATE for them is not needed and you can just dr= op > fs_internal parameter in anon_inode_make_secure_inode() It's especially odd since I don't see any comments or descriptions about why this is being done. The secretmem change is concerning as this is user accessible and marking the inode with S_PRIVATE will bypass a number of LSM/SELinux access controls, possibly resulting in a security regression (one would need to dig a bit deeper to see what is possible with secretmem and which LSM/SELinux code paths would be affected). I'm less familiar with guest_memfd, but generally speaking if userspace can act on the inode/fd then we likely don't want the S_PRIVATE flag stripped from the anon_inode. Ackerley can you provide an explanation about why the change in S_PRIVATE was necessary? > > - err =3D security_inode_init_security_anon(inode, &QSTR(anon_name)= , NULL); > > - if (err) { > > - file =3D ERR_PTR(err); > > - goto err_free_inode; > > - } > > - > > file =3D alloc_file_pseudo(inode, secretmem_mnt, "secretmem", > > O_RDWR, &secretmem_fops); > > if (IS_ERR(file)) > > -- > > 2.49.0.1204.g71687c7c1d-goog --=20 paul-moore.com