From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3A65FC433FE
	for <linux-mm@archiver.kernel.org>; Wed, 26 Jan 2022 23:01:44 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C7E026B0071; Wed, 26 Jan 2022 18:01:43 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C2D646B0072; Wed, 26 Jan 2022 18:01:43 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B1CDB6B0073; Wed, 26 Jan 2022 18:01:43 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id A26646B0071
	for <linux-mm@kvack.org>; Wed, 26 Jan 2022 18:01:43 -0500 (EST)
Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 5EE3285D7B
	for <linux-mm@kvack.org>; Wed, 26 Jan 2022 23:01:43 +0000 (UTC)
X-FDA: 79073962086.29.B782A80
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54])
	by imf24.hostedemail.com (Postfix) with ESMTP id CA1DB180004
	for <linux-mm@kvack.org>; Wed, 26 Jan 2022 23:01:42 +0000 (UTC)
Received: by mail-ed1-f54.google.com with SMTP id p12so1180889edq.9
        for <linux-mm@kvack.org>; Wed, 26 Jan 2022 15:01:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=hrY2ypU0UcUzpuu0HvUTLlqvcOyvCuZ5uizVCmG3Y+w=;
        b=156HEm9ggPBMtKmoA1cSwYVY8LRaPIaePKKm5brqfy6Hg5Vd33JEYnRffn1YfXbjBu
         5PQzcEDO2OOp7L+L6hE8FjtNF0o+9euUc80AUFcW7DsXEZuOsgyf7fn/a2Kr+k81kO0h
         X501ZPQTRFaCNdwavx84Jv8iUjqaVQfhEI96RUn7DENBN30GVn6NnsRFBOyAAWk+KYXC
         An/BnQdJQbQlNc/xdYqaDO28aQ4WChARmRIfQZMcgbols5NU8GKsDcgem0fX8YQor+1n
         97Aa0aEfyAwAgVtcZFHN/yWwZmevAJrOHiD7oktGU3yyrHiCHwAI8/hupVG/wMRZqQ9d
         uTZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=hrY2ypU0UcUzpuu0HvUTLlqvcOyvCuZ5uizVCmG3Y+w=;
        b=ixfg+++OpD4b9hrcfYQ0nXLOXnS4CGybmfWd0wtC+WgjSfnVkODiXQ3HNRvdxbD1YQ
         XxaLZd1HlhYHDcTCuwONDogCXF+JFEXuGEMwbmGF9UJ8kdvKN3UJYmMobrQrjowjMWdM
         jRbeWkvPJWU3trA1MvYplWUgJ5VDrx99USn8E4OSjkNbJj6qfbqVboXsA1+lHu3X0R6M
         MLRvKmzAX0/bnRrRQMgqSMTbIM4aNXuVA9wAj3xuRp8yVhK6R76FtD/5VZ7gduaYoDs/
         ThNLS8v3E8s4TGic2L13TJ9qpldmElSKq5vXZz6rvbn0EbfR6kLQQ7bVzJsbouWykgsj
         yWoQ==
X-Gm-Message-State: AOAM531How/POd01ub8ZpIX4pxDvAO8YmJS6oF1cqwKLVaJW/cD3T6di
	TyCFx3b9ywtmbsW5ICEgomhjK2JueatGbNjkt+HH
X-Google-Smtp-Source: ABdhPJxIKOsEIfJTFhstoFnygEcu2edsCxb/edCGSMTyG99GpPkZvv/0HQ9atKeEH1Dbj6XG8KgRPxB252BRD34Xfs0=
X-Received: by 2002:a50:ef16:: with SMTP id m22mr1130661eds.340.1643238101310;
 Wed, 26 Jan 2022 15:01:41 -0800 (PST)
MIME-Version: 1.0
References: <20220125143304.34628-1-cgzones@googlemail.com>
In-Reply-To: <20220125143304.34628-1-cgzones@googlemail.com>
From: Paul Moore <paul@paul-moore.com>
Date: Wed, 26 Jan 2022 18:01:30 -0500
Message-ID: <CAHC9VhSdGeZ9x-0Hvk9mE=YMXbpk-tC5Ek+uGFGq5U+51qjChw@mail.gmail.com>
Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes
To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Cc: selinux@vger.kernel.org, James Morris <jmorris@namei.org>, 
	"Serge E. Hallyn" <serge@hallyn.com>, linux-security-module@vger.kernel.org, 
	Stephen Smalley <stephen.smalley.work@gmail.com>, Eric Paris <eparis@parisplace.org>, 
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: CA1DB180004
X-Stat-Signature: cq8ih7ms3rutkdp3s765gqo4xhd4rj6r
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=156HEm9g;
	dmarc=none;
	spf=none (imf24.hostedemail.com: domain of paul@paul-moore.com has no SPF policy when checking 209.85.208.54) smtp.mailfrom=paul@paul-moore.com
X-Rspam-User: nil
X-HE-Tag: 1643238102-176236
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche
<cgzones@googlemail.com> wrote:
>
> Create a security context for the inodes created by memfd_secret(2) via
> the LSM hook inode_init_security_anon to allow a fine grained control.
> As secret memory areas can affect hibernation and have a global shared
> limit access control might be desirable.
>
> Signed-off-by: Christian G=C3=B6ttsche <cgzones@googlemail.com>
> ---
> An alternative way of checking memfd_secret(2) is to create a new LSM
> hook and e.g. for SELinux check via a new process class permission.
> ---
>  mm/secretmem.c | 9 +++++++++
>  1 file changed, 9 insertions(+)

This seems reasonable to me, and I like the idea of labeling the anon
inode as opposed to creating a new set of LSM hooks.  If we want to
apply access control policy to the memfd_secret() fds we are going to
need to attach some sort of LSM state to the inode, we might as well
use the mechanism we already have instead of inventing another one.

> diff --git a/mm/secretmem.c b/mm/secretmem.c
> index 22b310adb53d..b61cd2f661bc 100644
> --- a/mm/secretmem.c
> +++ b/mm/secretmem.c
> @@ -164,11 +164,20 @@ static struct file *secretmem_file_create(unsigned =
long flags)
>  {
>         struct file *file =3D ERR_PTR(-ENOMEM);
>         struct inode *inode;
> +       const char *anon_name =3D "[secretmem]";
> +       const struct qstr qname =3D QSTR_INIT(anon_name, strlen(anon_name=
));
> +       int err;
>
>         inode =3D alloc_anon_inode(secretmem_mnt->mnt_sb);
>         if (IS_ERR(inode))
>                 return ERR_CAST(inode);
>
> +       err =3D security_inode_init_security_anon(inode, &qname, NULL);
> +       if (err) {
> +               file =3D ERR_PTR(err);
> +               goto err_free_inode;
> +       }
> +
>         file =3D alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
>                                  O_RDWR, &secretmem_fops);
>         if (IS_ERR(file))
> --
> 2.34.1

--=20
paul-moore.com