From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D7F5C71155 for ; Fri, 20 Jun 2025 08:31:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B06DD6B007B; Fri, 20 Jun 2025 04:31:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ADE7B6B0089; Fri, 20 Jun 2025 04:31:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A1B6E6B008A; Fri, 20 Jun 2025 04:31:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 93C036B007B for ; Fri, 20 Jun 2025 04:31:33 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 52C431CE895 for ; Fri, 20 Jun 2025 08:31:33 +0000 (UTC) X-FDA: 83575110066.11.F16F496 Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31]) by imf23.hostedemail.com (Postfix) with ESMTP id 86BBD140007 for ; Fri, 20 Jun 2025 08:31:31 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=tNJsdDEu; spf=pass (imf23.hostedemail.com: domain of rppt@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750408291; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1maFoNC6U9t8/3+hvI+zNAof+ZLJt+ZtlbdnCe0tVm8=; b=E3f6QU2Jk4MBrU0zYK3XmMC6ISyL5OGJEotuvL75k+ojHvHKSwZhz3JKsFW8TZ9ECmi53P 2VgoceLcKb7i/up8l/kJ2BGcBVDSKUisOsCjbmjrteLCxfLHFOBU/aRdoWAI7PwLfC04/P 8MF282yWF0ijzLWoC0LohrBe9T1x4fE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750408291; a=rsa-sha256; cv=none; b=ChJsRA2qaw8RTScgjJ3u+RW1P551atEGBbNJoKgyclhC6wqk6+0Sd4g4IBPZldTI/0T1EH d7tjZPQo4OT1Z0NZ6IheDUGuc4j1sb7vkyaInVx0RX76XjPoRPo+2zecODECl9fMYGDqiZ wyiXBp4m7eJeinxWQCgoVZ4NOsVztKE= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=tNJsdDEu; spf=pass (imf23.hostedemail.com: domain of rppt@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 2D5194A45D; Fri, 20 Jun 2025 08:31:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6A50CC4CEE3; Fri, 20 Jun 2025 08:31:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750408290; bh=Bhu2W2Zp0blQzM5tWuUNkvTkKuqo41pZEk+2ifIlZgw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tNJsdDEualaroLs6cNc/FDnBC0ZDCzgl7Seo0MRUcyRryD8iggojfPlU6rNhjS7nw BWtBoU5RIEL8sRLABuFd+FzR7xoMqAuleDTdiGy9pJSe9kBVC7elXMJNhXlo7kkt7/ RpAKYlYea16J8HyTzQJXY/P4rRkI5Gqi07GqhFP3rqe6hvbVSrtintLAfcrKbae5tR lwy6LiLkrQI+VfgD2E3qlzh4s3rbfvuqnh30ONY/O8XlFFkHPsQSGb7mpBFszWSqH+ h2CDrZDZhZRZLf5aZvHkFzsiJyA7GrdhBn8qIkCtcCZcWlxwbb5BgkynGb3x/Ao8fd dZiQHdyVv2yUQ== Date: Fri, 20 Jun 2025 11:31:19 +0300 From: Mike Rapoport To: Shivank Garg Cc: david@redhat.com, akpm@linux-foundation.org, brauner@kernel.org, paul@paul-moore.com, viro@zeniv.linux.org.uk, seanjc@google.com, vbabka@suse.cz, willy@infradead.org, pbonzini@redhat.com, tabba@google.com, afranji@google.com, ackerleytng@google.com, jack@suse.cz, hch@infradead.org, cgzones@googlemail.com, ira.weiny@intel.com, roypat@amazon.co.uk, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH V2] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Message-ID: References: <20250620070328.803704-3-shivankg@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250620070328.803704-3-shivankg@amd.com> X-Rspamd-Server: rspam03 X-Stat-Signature: 8y7pxgb5hoe3xbyigxys8hkdh13wn6c9 X-Rspam-User: X-Rspamd-Queue-Id: 86BBD140007 X-HE-Tag: 1750408291-272527 X-HE-Meta: U2FsdGVkX1+4TX5mP6OxNNk9PwS0hwRqBBLYEyTqaFK4A708RVxecoAzuHkgJlXMBLow2eKx+VUBXXPtJ19nFjbCA+JOhcywn8vhE1ZhHFA6lTeDNroIf9LQaIYo42Q0cU5HLGkRHMWkOKUcSvZ7qhgwYdhmK9rVvDr0f7ktnFkmWRUzKzRKOTq91JUXq1sKLdWuaxfHqlzz3UrbrcugE2pQEDqA89zpGqDfkkga3xaLuzmO+sCaZq2c8WoZ3JPoe+LH5TsZBpVSBa5nQYHr255Dem9vttSzQklU8fXZrhy0/N94qBqtUzdFBwiKZoBfcLvXdnUAa/FPC7kmaPJRV27RyGfK79WsMfzkW/YkpklUfFNzyKSqNY4qLiyrFHbmfPqSbkrkrXD7n07SDxbCrqhG2rZIy02g/JgxumAT6KCzEic9RNFER/D60ZMp8hnsYf5lL5Kog/OI0UGMtsIVUqHAB83qMPRIDV+wou1iel260Qn8aBx1Tb5LcrQLjhUPrfQulm+fgEitfm7VCOwtQVzIxiTT4uS6NTkIjgCWmNDz/c7ngzPVskD+M1XBfGxh3NiB9IviZTdhQoU9QDmjR/jnjP3ZcmHHdH9/vGP834BdTCONwvzgnXJ/qRfBcCATrQWg21i2qcoqFYksfvtXGF31Y6nJlwuFnawLT4Gt1zaNsGDyzTwQGJgm6y+Te16c9+y8SJwRNOe3SsVn4PWUm9ALAhcFK4TYZMawMU3IkDwPRT9adXOOmiqyL5b9bfeDPpbW5XwS/8/6pMsUXcsFmF/a1Ow1X8E4lvybiF8RwZqCwP+hTVpR9SrWGS4Cn4FAXMwishP8lE3fQUq/pKKaJEe3qNw5ySz5cfkQ9pQ48/myPKDtJ3frofQZZ7eNQcdn51c8oTSGh+Hy9myq05L8pPvasYq70SC05dzKT2fUl2oZdPZD36ITVhGNbETY0Z9QM0Rl+4ep1zz88oOO7W4 QtwAijIK BulUoI2OD83Hv8f2mK7ufmAKSG2UPCyvrBTXzK6nIKtSR6IJhgZSiCGkvptgRJprfy0GOah6i7ZVHL6diy8ESCYmLQEZcvHVZx40wzHzVnzvUdqpN+ArSBuQoTt5TTEIzxR/JHjfCAAS0pvq6ctpBkadHMVomxWoDLfgCj3WSTFMdsAxAbLSTdBRvwhpbJNqwhT2Kl/7lyZLWhyDlN5EHDuERJGfpDhhhfxG5vgAyVRxOhmmlB4NbdIP++RoTrmcSuNDd3/Dqds0blwkVBmbnifWjrO0X5nM9oeIeZVaKW3frKEdeG52Q0Pc4QuGbLArcBMuPyop5md34yC15ugNgOa4NQcPdh2oq8XM3j95FWAAwi1Pw0RqQIpDiTMrF4U+9gOsmq0II/Q3uqW8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Jun 20, 2025 at 07:03:30AM +0000, Shivank Garg wrote: > Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create > anonymous inodes with proper security context. This replaces the current > pattern of calling alloc_anon_inode() followed by > inode_init_security_anon() for creating security context manually. > > This change also fixes a security regression in secretmem where the > S_PRIVATE flag was not cleared after alloc_anon_inode(), causing > LSM/SELinux checks to be bypassed for secretmem file descriptors. > > As guest_memfd currently resides in the KVM module, we need to export this > symbol for use outside the core kernel. In the future, guest_memfd might be > moved to core-mm, at which point the symbols no longer would have to be > exported. When/if that happens is still unclear. > > Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes") > Suggested-by: David Hildenbrand > Suggested-by: Mike Rapoport > Signed-off-by: Shivank Garg Acked-by: Mike Rapoport (Microsoft) > --- > The handling of the S_PRIVATE flag for these inodes was discussed > extensively ([1], [2], [3]). > > As per discussion [3] with Mike and Paul, KVM guest_memfd and secretmem > result in user-visible file descriptors, so they should be subject to > LSM/SELinux security policies rather than bypassing them with S_PRIVATE. > > [1] https://lore.kernel.org/all/b9e5fa41-62fd-4b3d-bb2d-24ae9d3c33da@redhat.com > [2] https://lore.kernel.org/all/cover.1748890962.git.ackerleytng@google.com > [3] https://lore.kernel.org/all/aFOh8N_rRdSi_Fbc@kernel.org > > V1->V2: Use EXPORT_SYMBOL_GPL_FOR_MODULES() since KVM is the only user. > > fs/anon_inodes.c | 23 ++++++++++++++++++----- > include/linux/fs.h | 2 ++ > mm/secretmem.c | 9 +-------- > 3 files changed, 21 insertions(+), 13 deletions(-) > > diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c > index e51e7d88980a..1d847a939f29 100644 > --- a/fs/anon_inodes.c > +++ b/fs/anon_inodes.c > @@ -98,14 +98,25 @@ static struct file_system_type anon_inode_fs_type = { > .kill_sb = kill_anon_super, > }; > > -static struct inode *anon_inode_make_secure_inode( > - const char *name, > - const struct inode *context_inode) > +/** > + * anon_inode_make_secure_inode - allocate an anonymous inode with security context > + * @sb: [in] Superblock to allocate from > + * @name: [in] Name of the class of the newfile (e.g., "secretmem") > + * @context_inode: > + * [in] Optional parent inode for security inheritance > + * > + * The function ensures proper security initialization through the LSM hook > + * security_inode_init_security_anon(). > + * > + * Return: Pointer to new inode on success, ERR_PTR on failure. > + */ > +struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name, > + const struct inode *context_inode) > { > struct inode *inode; > int error; > > - inode = alloc_anon_inode(anon_inode_mnt->mnt_sb); > + inode = alloc_anon_inode(sb); > if (IS_ERR(inode)) > return inode; > inode->i_flags &= ~S_PRIVATE; > @@ -118,6 +129,7 @@ static struct inode *anon_inode_make_secure_inode( > } > return inode; > } > +EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm"); > > static struct file *__anon_inode_getfile(const char *name, > const struct file_operations *fops, > @@ -132,7 +144,8 @@ static struct file *__anon_inode_getfile(const char *name, > return ERR_PTR(-ENOENT); > > if (make_inode) { > - inode = anon_inode_make_secure_inode(name, context_inode); > + inode = anon_inode_make_secure_inode(anon_inode_mnt->mnt_sb, > + name, context_inode); > if (IS_ERR(inode)) { > file = ERR_CAST(inode); > goto err; > diff --git a/include/linux/fs.h b/include/linux/fs.h > index b085f161ed22..040c0036320f 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -3608,6 +3608,8 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping, > extern const struct address_space_operations ram_aops; > extern int always_delete_dentry(const struct dentry *); > extern struct inode *alloc_anon_inode(struct super_block *); > +struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name, > + const struct inode *context_inode); > extern int simple_nosetlease(struct file *, int, struct file_lease **, void **); > extern const struct dentry_operations simple_dentry_operations; > > diff --git a/mm/secretmem.c b/mm/secretmem.c > index 589b26c2d553..9a11a38a6770 100644 > --- a/mm/secretmem.c > +++ b/mm/secretmem.c > @@ -195,18 +195,11 @@ static struct file *secretmem_file_create(unsigned long flags) > struct file *file; > struct inode *inode; > const char *anon_name = "[secretmem]"; > - int err; > > - inode = alloc_anon_inode(secretmem_mnt->mnt_sb); > + inode = anon_inode_make_secure_inode(secretmem_mnt->mnt_sb, anon_name, NULL); > if (IS_ERR(inode)) > return ERR_CAST(inode); > > - err = security_inode_init_security_anon(inode, &QSTR(anon_name), NULL); > - if (err) { > - file = ERR_PTR(err); > - goto err_free_inode; > - } > - > file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem", > O_RDWR, &secretmem_fops); > if (IS_ERR(file)) > -- > 2.43.0 > -- Sincerely yours, Mike.