From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 48269C433F5
	for <linux-mm@archiver.kernel.org>; Mon,  2 May 2022 13:45:48 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id AE9786B0072; Mon,  2 May 2022 09:45:47 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A98856B0073; Mon,  2 May 2022 09:45:47 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 960586B0074; Mon,  2 May 2022 09:45:47 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.26])
	by kanga.kvack.org (Postfix) with ESMTP id 849546B0072
	for <linux-mm@kvack.org>; Mon,  2 May 2022 09:45:47 -0400 (EDT)
Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay13.hostedemail.com (Postfix) with ESMTP id 2006160CB6
	for <linux-mm@kvack.org>; Mon,  2 May 2022 13:45:47 +0000 (UTC)
X-FDA: 79420925934.28.38B1F93
Received: from mail-oa1-f51.google.com (mail-oa1-f51.google.com [209.85.160.51])
	by imf07.hostedemail.com (Postfix) with ESMTP id 0BC7C40075
	for <linux-mm@kvack.org>; Mon,  2 May 2022 13:45:42 +0000 (UTC)
Received: by mail-oa1-f51.google.com with SMTP id 586e51a60fabf-ed9ac77cbbso3710154fac.1
        for <linux-mm@kvack.org>; Mon, 02 May 2022 06:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=;
        b=Y9Ge8Zh0P8Nn7vrmdfyiKMNSXTRSp9YFHQZim+UHkCEFcfwdVdW7Vb8ezfueGEUcHa
         B1aAFddnxIPGLjcRzkP7XtGk2dlF8RTkPlKJaCYmt9O1naej9QSykekHptyii+fwZRQy
         l1EWiBVCqbJWRkZ4Klnvtx0ozhx62AmU09qkR9Ola2hClwQjEQZyfYh6q/uEpQuAyrm/
         YDfjUjrwscX61c0ALQUvQcDFIU5370j4EfVKP7iQobmAodMzzuNMPCmW4S2LWhgAbo8X
         VwWzk9s3kNbfC3hUgXGX/2R2pel9rOhniwQEMnG5Tpm9jRGvRtVuWVtt1ofUS4hLNBNY
         P3Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=;
        b=TDaSUvkcJGQ4RzCaCZaPrP+/Mtl894Hfvtv07gKFDHzfSOLB0PpyoqP+M17wrWBa5J
         ShN7m9+//KF6ApGwCwkBg7q6KR+MvghWQFjLvUMs8LrJtUNR1nL/BzcizdZbyouaBltM
         M1qy6MAEK7VI30vd5dDS7bg74xZPQQxrVaMQAuv+YcdzCHXfkarnMbQSTjjoZ6jV5JoH
         qZeiBEJAN7Om9vw0Bm6rorJ9LW6fmDzU92OUZHwA2WHwFmgm0KAlQmm4CvkN4k0+1Skg
         TULuc0eyU4WSLJU8poJI0C6w6rrt7srruzngDtmoDHlOuJrxaeTdu3XwdIMVvV8hQ64C
         fUWg==
X-Gm-Message-State: AOAM532G6t9+d4i/Px4zqdRZJrOrqf3WobUT1w1P2ejj/OlljsyYIg80
	sIkNKD0e3iqKbH5naOSzTdoSlZZR5gDIwkLf+B8=
X-Google-Smtp-Source: ABdhPJx5rwU6X5NnnuNmcAS5EItDn5UYn1+bETi6E6Je7tDTBL6rzvnM5hyy2El994VvmDm+qlbjgH1Ln9bev9p14BE=
X-Received: by 2002:a05:6870:5b8a:b0:e6:589e:201d with SMTP id
 em10-20020a0568705b8a00b000e6589e201dmr6394064oab.71.1651499145960; Mon, 02
 May 2022 06:45:45 -0700 (PDT)
MIME-Version: 1.0
References: <20220125143304.34628-1-cgzones@googlemail.com>
 <CAHC9VhSdGeZ9x-0Hvk9mE=YMXbpk-tC5Ek+uGFGq5U+51qjChw@mail.gmail.com>
 <CAJ2a_DeAUcGTGm_fk8viVbeFXr6FLrJ-oLw-abwFND6Kv0u0gQ@mail.gmail.com> <CAHC9VhRRBrLVtvmbJSTZ7fOkD-8AN4iM0WRmeL4ND001d3viJg@mail.gmail.com>
In-Reply-To: <CAHC9VhRRBrLVtvmbJSTZ7fOkD-8AN4iM0WRmeL4ND001d3viJg@mail.gmail.com>
From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 2 May 2022 15:45:35 +0200
Message-ID: <CAJ2a_DeT6AG0jp4gTdsEy7nh=s6cLR7QCsYXAz2+3vsdRKxddg@mail.gmail.com>
Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes
To: Paul Moore <paul@paul-moore.com>
Cc: SElinux list <selinux@vger.kernel.org>, James Morris <jmorris@namei.org>, 
	"Serge E. Hallyn" <serge@hallyn.com>, linux-security-module@vger.kernel.org, 
	Stephen Smalley <stephen.smalley.work@gmail.com>, Eric Paris <eparis@parisplace.org>, 
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, 
	Linux kernel mailing list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: esy15niye5gnuu8z6o3a65ac49ecm4ue
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: 0BC7C40075
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=googlemail.com header.s=20210112 header.b=Y9Ge8Zh0;
	spf=pass (imf07.hostedemail.com: domain of cgzones@googlemail.com designates 209.85.160.51 as permitted sender) smtp.mailfrom=cgzones@googlemail.com;
	dmarc=pass (policy=quarantine) header.from=googlemail.com
X-Rspam-User: 
X-HE-Tag: 1651499142-217284
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, 17 Feb 2022 at 23:32, Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Feb 17, 2022 at 9:24 AM Christian G=C3=B6ttsche
> <cgzones@googlemail.com> wrote:
> > On Thu, 27 Jan 2022 at 00:01, Paul Moore <paul@paul-moore.com> wrote:
> > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche
> > > <cgzones@googlemail.com> wrote:
> > > >
> > > > Create a security context for the inodes created by memfd_secret(2)=
 via
> > > > the LSM hook inode_init_security_anon to allow a fine grained contr=
ol.
> > > > As secret memory areas can affect hibernation and have a global sha=
red
> > > > limit access control might be desirable.
> > > >
> > > > Signed-off-by: Christian G=C3=B6ttsche <cgzones@googlemail.com>
> > > > ---
> > > > An alternative way of checking memfd_secret(2) is to create a new L=
SM
> > > > hook and e.g. for SELinux check via a new process class permission.
> > > > ---
> > > >  mm/secretmem.c | 9 +++++++++
> > > >  1 file changed, 9 insertions(+)
> > >
> > > This seems reasonable to me, and I like the idea of labeling the anon
> > > inode as opposed to creating a new set of LSM hooks.  If we want to
> > > apply access control policy to the memfd_secret() fds we are going to
> > > need to attach some sort of LSM state to the inode, we might as well
> > > use the mechanism we already have instead of inventing another one.
> >
> > Any further comments (on design or implementation)?
> >
> > Should I resend a non-rfc?
>
> I personally would really like to see a selinux-testsuite for this so
> that we can verify it works not just now but in the future too.  I
> think having a test would also help demonstrate the usefulness of the
> additional LSM controls.
>

Any comments (especially from the mm people)?

Draft SELinux testsuite patch:
https://github.com/SELinuxProject/selinux-testsuite/pull/80

> > One naming question:
> > Should the anonymous inode class be named "[secretmem]", like
> > "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"?
>
> The pr_fmt() string in mm/secretmem.c uses "secretmem" so I would
> suggest sticking with "[secretmem]", although that is question best
> answered by the secretmem maintainer.
>
> --
> paul-moore.com