From: Paul Moore <paul@paul-moore.com>
To: Shivank Garg <shivankg@amd.com>
Cc: david@redhat.com, akpm@linux-foundation.org, brauner@kernel.org,
rppt@kernel.org, viro@zeniv.linux.org.uk, seanjc@google.com,
vbabka@suse.cz, willy@infradead.org, pbonzini@redhat.com,
tabba@google.com, afranji@google.com, ackerleytng@google.com,
jack@suse.cz, hch@infradead.org, cgzones@googlemail.com,
ira.weiny@intel.com, roypat@amazon.co.uk,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH v3] fs: generalize anon_inode_make_secure_inode() and fix secretmem LSM bypass
Date: Mon, 7 Jul 2025 16:01:29 -0400 [thread overview]
Message-ID: <CAHC9VhTXheV6vxEFMUw4M=fN3mKsT0Ygv2oRFU7Sq_gEcx2iyg@mail.gmail.com> (raw)
In-Reply-To: <67c40ef1-8d90-44c5-b071-b130a960ecc4@amd.com>
On Fri, Jul 4, 2025 at 6:41 AM Shivank Garg <shivankg@amd.com> wrote:
> On 7/3/2025 7:43 AM, Paul Moore wrote:
> > On Jun 26, 2025 Shivank Garg <shivankg@amd.com> wrote:
>
> ...
>
> > Thanks again for your continued work on this! I think the patch looks
> > pretty reasonable, but it would be good to hear a bit about how you've
> > tested this before ACK'ing the patch. For example, have you tested this
> > against any of the LSMs which provide anonymous inode support?
> >
> > At the very least, the selinux-testsuite has a basic secretmem test, it
> > would be good to know if the test passes with this patch or if any
> > additional work is needed to ensure compatibility.
> >
> > https://github.com/SELinuxProject/selinux-testsuite
>
> Hi Paul,
>
> Thank you for pointing me to the selinux-testsuite. I wasn't sure how to properly
> test this patch, so your guidance was very helpful.
>
> With the current test policy (test_secretmem.te), I initially encountered the following failures:
>
> ~/selinux-testsuite/tests/secretmem# ./test
> memfd_secret() failed: Permission denied
> 1..6
> memfd_secret() failed: Permission denied
> ok 1
> ftruncate failed: Permission denied
> unable to mmap secret memory: Permission denied
> not ok 2
...
> To resolve this, I updated test_secretmem.te to add additional required
> permissions {create, read, write, map}
> With this change, all tests now pass successfully:
>
> diff --git a/policy/test_secretmem.te b/policy/test_secretmem.te
> index 357f41d..4cce076 100644
> --- a/policy/test_secretmem.te
> +++ b/policy/test_secretmem.te
> @@ -13,12 +13,12 @@ testsuite_domain_type_minimal(test_nocreate_secretmem_t)
> # Domain allowed to create secret memory with the own domain type
> type test_create_secretmem_t;
> testsuite_domain_type_minimal(test_create_secretmem_t)
> -allow test_create_secretmem_t self:anon_inode create;
> +allow test_create_secretmem_t self:anon_inode { create read write map };
>
> # Domain allowed to create secret memory with the own domain type and allowed to map WX
> type test_create_wx_secretmem_t;
> testsuite_domain_type_minimal(test_create_wx_secretmem_t)
> -allow test_create_wx_secretmem_t self:anon_inode create;
> +allow test_create_wx_secretmem_t self:anon_inode { create read write map };
I believe this domain also needs the anon_inode/execute permission.
> allow test_create_wx_secretmem_t self:process execmem;
>
> # Domain not allowed to create secret memory via a type transition to a private type
> @@ -30,4 +30,4 @@ type_transition test_nocreate_transition_secretmem_t test_nocreate_transition_se
> type test_create_transition_secretmem_t;
> testsuite_domain_type_minimal(test_create_transition_secretmem_t)
> type_transition test_create_transition_secretmem_t test_create_transition_secretmem_t:anon_inode test_secretmem_inode_t "[secretmem]";
> -allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode create;
> +allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode { create read write map };
>
> Does this approach look correct to you? Please let me know if my understanding
> makes sense and what should be my next step for patch.
[NOTE: added selinux@vger and selinux-refpolicy@vger to the To/CC line]
Hi Shivank,
My apologies for not responding earlier, Friday was a holiday and I
was away over the weekend. Getting back at it this morning I ran into
the same failures as you described, and had to make similar changes to
the selinux-testsuite policy (see the anon_inode/execute comment
above, I also added the capability/ipc_lock permission as needed).
Strictly speaking this is a regression in the kernel, even if the new
behavior is correct. I'm CC'ing the SELinux and Reference Policy
lists so that the policy devs can take a look and see what impacts
there might be to the various public SELinux policies. If this looks
like it may be a significant issue, we'll need to work around this
with a SELinux "policy capability" or some other compatibility
solution.
--
paul-moore.com
next prev parent reply other threads:[~2025-07-07 20:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-26 19:14 [PATCH V3] " Shivank Garg
2025-06-27 8:27 ` Gupta, Pankaj
2025-06-27 18:21 ` Ira Weiny
2025-07-01 8:33 ` Christian Brauner
2025-07-07 5:23 ` Shivank Garg
2025-07-03 2:13 ` [PATCH v3] " Paul Moore
2025-07-04 10:41 ` Shivank Garg
2025-07-07 20:01 ` Paul Moore [this message]
2025-07-07 20:38 ` Chris PeBenito
2025-07-08 2:45 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhTXheV6vxEFMUw4M=fN3mKsT0Ygv2oRFU7Sq_gEcx2iyg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=ackerleytng@google.com \
--cc=afranji@google.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=cgzones@googlemail.com \
--cc=david@redhat.com \
--cc=hch@infradead.org \
--cc=ira.weiny@intel.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=roypat@amazon.co.uk \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=shivankg@amd.com \
--cc=tabba@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox