From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCFAEC8303C for ; Thu, 3 Jul 2025 02:13:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 574636B00CE; Wed, 2 Jul 2025 22:13:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 54C086B00D0; Wed, 2 Jul 2025 22:13:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 489036B00D1; Wed, 2 Jul 2025 22:13:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 3901C6B00CE for ; Wed, 2 Jul 2025 22:13:21 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id C3274107232 for ; Thu, 3 Jul 2025 02:13:20 +0000 (UTC) X-FDA: 83621331360.30.9E0E3F9 Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) by imf10.hostedemail.com (Postfix) with ESMTP id 5ECCCC0002 for ; Thu, 3 Jul 2025 02:13:18 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=TNGCTKQu; dmarc=pass (policy=none) header.from=paul-moore.com; spf=pass (imf10.hostedemail.com: domain of paul@paul-moore.com designates 209.85.160.175 as permitted sender) smtp.mailfrom=paul@paul-moore.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751508798; a=rsa-sha256; cv=none; b=ji47Ltzzx3tJUDAroFq5K+ivoIWUB1J986yDE50iZvvMs5mB0hYkhYuPjJQROlyF+Jak9t iHZLox6boW2AapGjW1zFMpqQ+5kTy+zF597731ixKSTCkvYAIFdGPmOjXSIgYHnm/WqmDU 4f6z5/UpeVBSroqc4klAZOBEtfWLfms= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=TNGCTKQu; dmarc=pass (policy=none) header.from=paul-moore.com; spf=pass (imf10.hostedemail.com: domain of paul@paul-moore.com designates 209.85.160.175 as permitted sender) smtp.mailfrom=paul@paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751508798; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TzXhie4CIWJW7jzt+VKFb4S+L+Efm25Tu2fG/WJtN10=; b=LSdy4LMZgV0IBOT1e/lsXEVOFPTjEs95Ai4hkff7DzuQQEyySkJws7aexnXcKKp6Y6wDiD jZ7CKlTq1nEWqtomWyTW51+n0MKQC5nphxA6nLvDgkY3eWoxOSzW5ndMhQKBLq0uBVt5My NBNppST1kDgYWTHaifhVMoRamZRAAXU= Received: by mail-qt1-f175.google.com with SMTP id d75a77b69052e-4a589b7dd5fso123913331cf.0 for ; Wed, 02 Jul 2025 19:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1751508797; x=1752113597; darn=kvack.org; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :mime-version:message-id:date:from:to:cc:subject:date:message-id :reply-to; bh=TzXhie4CIWJW7jzt+VKFb4S+L+Efm25Tu2fG/WJtN10=; b=TNGCTKQuIYNo7GBNt+3Ewlmeyp0E6PkBfm5L+kftmETyPUNXSOmJtQAGxk38glvbuj EJozCtnCNdk2gC3XUqLCqFk75MBh1nnrI1aflhJvUXqVQGdpQI2AJ98sNDGBaR/4WpMy 9D2gJPKklXdgit/7ctien4WhgFpsITxaWZRxRtDfBvlmxePZTdCX7BgAT1ccO+UmdLrX 5kNT4HT/QtldysDTcWIW20HE/ZPaIbs5gDjUG4Ffc2bOcurvoOqOuJgcz/kPNqOwOucN 4RtJKm8hV/IR3UGW1Ki44BeGxKEUsFkdIGlrsKrog83GD8CniIEQEVgaE7ybc2wzXmbO BKmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751508797; x=1752113597; h=in-reply-to:references:subject:cc:to:from:content-transfer-encoding :mime-version:message-id:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=TzXhie4CIWJW7jzt+VKFb4S+L+Efm25Tu2fG/WJtN10=; b=KazDGYwKOz8xOaOXcWnrxqJDKGdazLRqLmi37qAXg3I9a7SDfPZF+k+nYzbDKTcJ9y 6LJ4MG4hglN8RV2+3mhXdvHn0Xz97+tWol1PzM9daxL3uTxQZyyrxy51ZRVePs+AFDVQ u7PYMxLSKUe8Q2xeKmkTAI8WGLDNkqv0WHDUJakAjQo34as7RiLxFHl6IIAjBKDOyuj0 zrsVfllWm2j403Lw1dOBCCIMQlcFIMOEPVZmF1Pu5GSKak3Lk5zs64lg0i4fji47o9hM IfNGEa7Flq2lh3DkH1uSjwQtN2oHIydiSv3tsvK7BVVcZqpXe/WDLhefRIFLXKFB/0tA 8q+Q== X-Forwarded-Encrypted: i=1; AJvYcCWwJi+wCbIFmsKnadXRpMnfemUvzeR4JT4QrJtoDy4U26FTQR/uCb2Iw8gxDUgfF2ZOTjyOmwd4jw==@kvack.org X-Gm-Message-State: AOJu0YzuH7Y1jEJgzOpldksoIt9WAvKQY5zISF6+H1M7FXKdj0oKqTvb UqyoCGhPYz2FkypVJLS54EWoa5r3dyxLRcN4dazINHrlRZfa+Un60Z8PZ/Eaj1cD8A== X-Gm-Gg: ASbGnctGB5sy+C0/vxmwx1AYLYInOc4RJcjbB4a1R1V6zhXciOMqC1TZxOFEruDODEo j6lydcYeLxxU8MFYWsbMb8ZZg2H2swhzfNruV2cobshtDlJazeWoHhR1ENYz8m4HPniwTU13yQc b1cPewrUiH4VT8MWXxTdvScUoPddZE05vBFbX4wXUfrjAkBEd5goYMTLHK1zomEwg5DHFErL+8a x/sr88DAnpKCQSBwl95Vu6CCE6L8nPRbaDjUzhM+6uNIQnsIu/D/0eCDWwN1UJJyBBC0Ghv7PN5 4zqWJBEZNqnumNAJGDfSKb3RUov9iupRuVwK4MO82ZtRLw04zXm0wXiZRd3MS2nAp3uQw2z5wRa 2PDhK7aHuXA4gYQhd2K2VwvUo0gEt2NY= X-Google-Smtp-Source: AGHT+IELjxIty3QvxZPgn1IkijyUpwDEpAbFyjSsKr5nQr+vunzikG5BR25gm20fjjhw/qG4dKVsnw== X-Received: by 2002:a05:622a:4e:b0:476:add4:d2cf with SMTP id d75a77b69052e-4a9879c3c8fmr28867621cf.16.1751508797160; Wed, 02 Jul 2025 19:13:17 -0700 (PDT) Received: from localhost (pool-71-126-255-178.bstnma.fios.verizon.net. [71.126.255.178]) by smtp.gmail.com with UTF8SMTPSA id af79cd13be357-7d44316a54fsm1034468285a.34.2025.07.02.19.13.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Jul 2025 19:13:16 -0700 (PDT) Date: Wed, 02 Jul 2025 22:13:16 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailer: pstg-pwork:20250702_2201/pstg-lib:20250702_2201/pstg-pwork:20250702_2201 From: Paul Moore To: Shivank Garg , , , , , Cc: , , , , , , , , , , , , , , , , Subject: Re: [PATCH v3] fs: generalize anon_inode_make_secure_inode() and fix secretmem LSM bypass References: <20250626191425.9645-5-shivankg@amd.com> In-Reply-To: <20250626191425.9645-5-shivankg@amd.com> X-Stat-Signature: abfy6jnfqrz4dtth8pth6oy8rdgp3gre X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 5ECCCC0002 X-Rspam-User: X-HE-Tag: 1751508798-714730 X-HE-Meta: U2FsdGVkX1/teiva+OWAPkS+rCEvHMnQc4zFytzgLt2r9uzz6so+LNd7O5kSEP2x+829bwwvbUQVuriyQ6w0GD26sLA3SoIxHWDb+5fYGzegPn3bVtm1n9XYJoMn2iuh7cMFai6BadDAlfKhVb6GUlprdUG2D9FtJPANpmDs0ZzzVkFDrH6B0scHV9HVCct3oYk/6n8DEQeL8kAyQTUo9aKb4H9hDzRzdMNAXmi8NVJQ2QPBH7l+KTRjtaE2XwszEiIUXh6dWnjWOzZBs2p+W+diCM5O01bU/s2dW1PaTyUvHgT9wZ33PaRsp17R3S+Ni18YYHckOwEwVYQILMscT6SqNqkoJeTmQCSApCUWbIcvU9KochoMbOUmr6hPt5Dnq3aEUVX9Gw6wmqMSGwwE+8UmGxibhb3N+DJ2TcMkU2p8QrOD/BNwqp7AF8Or+G5H0FyLvbJkjItJFadmzMd97Et1pZFjS/jq/ItXG/JZ9QHfD3WVgf0tHA2Dq7/xQNcpEw2Fit8j72ek0Sxc3K9UfbQ+h2wLvIoL2t6nBqh0KYNuj7vyeKp8ZYhEm5WrivSMrr5mPzZzjKmVqvu2wf3IK2eK/Ilqzb9jYcuko3yK2+bN7J1ovJ6lTS2G1KuCEFtjgpWgHBsOelQoQDrKXUDsQqMIgxnvUIzWCYNNPI0DilnQN4LJh0Rdwe4cbjnX73ZNWsvG5ejYgVOXJHc6jyDVN+42bQRDR5SOPGqI2bnf0RhzI6Pz3NAg9xdyryzajmQSeA95eThaNX46cRtm/nOFs+HwJqo/S5qPoCKoyjBSUIKDm3xhkgf3/JLsXRZJGkAkzPgWy3SIDYa2h7WTesfrc5OfG7qzOx/IZe/xAUpxcWyr1miu3GkR584Fb0KjfFHdmKG5PzEbllwBzABh+22wXxbb5KAZhrdzao/rPrQvIlvsysO5y7gr/fFmP2B/9eVC06cwozfGUEhZy6XXtIZ 4yyMAWOc SL4PiBBYS+RLEPVzR17meJY02Wl2w07p9EU+DzJa7wlUNmvCpjJtBCcpAWkmOp0FvHwu2wTi3hoRomIGNME3AS1GSTZ1tZTikm1AaraMhky+7EkL8sz2I/Eq50faTzG9gKCqTS2Qtqcj7c4As6oPbBJXl5UC73vCrPKhIh38TZDQ9Ak+fcGX2a6QtwSzonItH514iybX+5YhVJxqWIpDVuVc88ZDPF2PcCDu9hPyndde6MnmC5t1vSsac/2Vvq3aZoOdYrQrx0L2mVZWVVR7tAe01JIU/mDC7UDlLH6rWRaiZ4MAl1Ao+2tl/m1Mo6fLw4mRQYd2WDm4P/CxcpPUGz2GB2X8aFEuPW+Hb8HslbZXdryR3wydVM55ZmI6dUDLpH/afQbwdEMYwqjyK6DsRpeZu5LGRbC4yB5EeBqMcvhkiFDXKsSUxF6zMUSOrQgKj+5ZhF/r3T/8XFD+SLr4JengzsU7zUw6wKOoHzDlqvrWc4gnWi3sSif0yETtzEtrrznEAmRNDSM5vTkUMqkgQRlpx7f9Q4/1V+alAVxaXaA5B3P2zIsE2KOR4hq6jrN3gze0H X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Jun 26, 2025 Shivank Garg wrote: > > Extend anon_inode_make_secure_inode() to take superblock parameter and > make it available via fs.h. This allows other subsystems to create > anonymous inodes with proper security context. > > Use this function in secretmem to fix a security regression, where > S_PRIVATE flag wasn't cleared after alloc_anon_inode(), causing > LSM/SELinux checks to be skipped. > > Using anon_inode_make_secure_inode() ensures proper security context > initialization through security_inode_init_security_anon(). > > Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes") > Suggested-by: David Hildenbrand > Suggested-by: Mike Rapoport (Microsoft) > Reviewed-by: David Hildenbrand > Acked-by: Mike Rapoport (Microsoft) > Signed-off-by: Shivank Garg > Acked-by: Pankaj Gupta > Reviewed-by: Ira Weiny > --- > The handling of the S_PRIVATE flag for these inodes was discussed > extensively ([1], [2], [3]). > > As per discussion [3] with Mike and Paul, KVM guest_memfd and secretmem > result in user-visible file descriptors, so they should be subject to > LSM/SELinux security policies rather than bypassing them with S_PRIVATE. > > [1] https://lore.kernel.org/all/b9e5fa41-62fd-4b3d-bb2d-24ae9d3c33da@redhat.com > [2] https://lore.kernel.org/all/cover.1748890962.git.ackerleytng@google.com > [3] https://lore.kernel.org/all/aFOh8N_rRdSi_Fbc@kernel.org > > V3: > - Drop EXPORT to be added later in separate patch for KVM guest_memfd and > keep this patch focused on fix. > > V2: https://lore.kernel.org/all/20250620070328.803704-3-shivankg@amd.com > - Use EXPORT_SYMBOL_GPL_FOR_MODULES() since KVM is the only user. > > V1: https://lore.kernel.org/all/20250619073136.506022-2-shivankg@amd.com > > fs/anon_inodes.c | 22 +++++++++++++++++----- > include/linux/fs.h | 2 ++ > mm/secretmem.c | 9 +-------- > 3 files changed, 20 insertions(+), 13 deletions(-) Thanks again for your continued work on this! I think the patch looks pretty reasonable, but it would be good to hear a bit about how you've tested this before ACK'ing the patch. For example, have you tested this against any of the LSMs which provide anonymous inode support? At the very least, the selinux-testsuite has a basic secretmem test, it would be good to know if the test passes with this patch or if any additional work is needed to ensure compatibility. https://github.com/SELinuxProject/selinux-testsuite -- paul-moore.com