From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F861C43334 for ; Wed, 8 Jun 2022 00:43:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231255AbiFHAnU (ORCPT ); Tue, 7 Jun 2022 20:43:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33720 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1444025AbiFGXBh (ORCPT ); Tue, 7 Jun 2022 19:01:37 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DFF327CD43 for ; Tue, 7 Jun 2022 13:10:40 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id z9so3089357wmf.3 for ; Tue, 07 Jun 2022 13:10:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=PLD8bMvN51Cij4xdm7K//UbBPopjl8IHgVt7TPHocZY=; b=i2kaYQ6j5Q8SFA4O5Y3knelSOyr95qvMEWqsg29kMrTB8PQiNOrW1HRsCY0v9REmUA MNnKCXpGrmr8D7QexF3moz6L5iuMd8l0FTkbqhLRp9QxBQGVBe5LGE+DngOXpbQ4nww3 Wqj82xBn8bye0OsYOcmrN7MAU43F5L73GrSpnM9BEnREQ3yUW7+Y4RtVEJvawoK1TVmG KDlhsp2EQmehusDg2ubUvtXKe4RhIwrl2QTJWx3/Ak+80wjoOQjkOY4jdj+2Ft54GtSK m6l5rpqDgdvNoh0XKRLtkEBAokvaVGkzqAgRX8uGk/gxtUkMhKVTqvkK/W+JyI4JYSJY L63A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=PLD8bMvN51Cij4xdm7K//UbBPopjl8IHgVt7TPHocZY=; b=jUMzAEstYBMlPefvy1JdeBf7GgckNAMG1MokunmdJOJbe9Exzby1yyKphYmyS+FyUT HiR1sRfR+PU8NBAu+yaKVbuGR0ow4pA03UdY+dkdU5nanVjNLV1XrtG/laQBhvXoeOEb MJen+/FxiTZfdllTXEKg29i4w1G248bIdVoRpeAdSimx64lnsGKn0Qn9ts7nUttrxjW6 MAM71boFn03OMx6poOVH24kaVmpDnf3vpi/QdUbwHF3XgBGzawIrF1zQyqEge39oqiGU BCnFebDlumJ162Ws6RglukMwgmpGk4CKx9bHgRy1+kAknREAJc3mHelpmwycTC8MCe2q plQw== X-Gm-Message-State: AOAM530iJ2unCOQSmBY1A6kKAAuEzv1B+KRmXgOGawKd3s2/YgTbrvHe 6ESjE0xv8cNRvsBImrzg9uYHPv0+T1iZpW2nHBsx X-Google-Smtp-Source: ABdhPJwyFkl5Wu37OltnZgyQnBX2dD7guis4PxRqva+UdiTXRjPsIzjBlv+N77/IeKSH93JcMAUzMvIjfEltCOeIf0g= X-Received: by 2002:a05:600c:414e:b0:397:55aa:ccc0 with SMTP id h14-20020a05600c414e00b0039755aaccc0mr61318457wmm.51.1654632638942; Tue, 07 Jun 2022 13:10:38 -0700 (PDT) MIME-Version: 1.0 References: <20220125143304.34628-1-cgzones@googlemail.com> In-Reply-To: From: Paul Moore Date: Tue, 7 Jun 2022 16:10:28 -0400 Message-ID: Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Cc: SElinux list , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , Andrew Morton , linux-mm@kvack.org, Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: On Mon, May 2, 2022 at 9:45 AM Christian G=C3=B6ttsche wrote: > On Thu, 17 Feb 2022 at 23:32, Paul Moore wrote: > > On Thu, Feb 17, 2022 at 9:24 AM Christian G=C3=B6ttsche > > wrote: > > > On Thu, 27 Jan 2022 at 00:01, Paul Moore wrote: > > > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche > > > > wrote: > > > > > > > > > > Create a security context for the inodes created by memfd_secret(= 2) via > > > > > the LSM hook inode_init_security_anon to allow a fine grained con= trol. > > > > > As secret memory areas can affect hibernation and have a global s= hared > > > > > limit access control might be desirable. > > > > > > > > > > Signed-off-by: Christian G=C3=B6ttsche > > > > > --- > > > > > An alternative way of checking memfd_secret(2) is to create a new= LSM > > > > > hook and e.g. for SELinux check via a new process class permissio= n. > > > > > --- > > > > > mm/secretmem.c | 9 +++++++++ > > > > > 1 file changed, 9 insertions(+) > > > > > > > > This seems reasonable to me, and I like the idea of labeling the an= on > > > > inode as opposed to creating a new set of LSM hooks. If we want to > > > > apply access control policy to the memfd_secret() fds we are going = to > > > > need to attach some sort of LSM state to the inode, we might as wel= l > > > > use the mechanism we already have instead of inventing another one. > > > > > > Any further comments (on design or implementation)? > > > > > > Should I resend a non-rfc? > > > > I personally would really like to see a selinux-testsuite for this so > > that we can verify it works not just now but in the future too. I > > think having a test would also help demonstrate the usefulness of the > > additional LSM controls. > > > > Any comments (especially from the mm people)? > > Draft SELinux testsuite patch: > https://github.com/SELinuxProject/selinux-testsuite/pull/80 > > > > One naming question: > > > Should the anonymous inode class be named "[secretmem]", like > > > "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"? > > > > The pr_fmt() string in mm/secretmem.c uses "secretmem" so I would > > suggest sticking with "[secretmem]", although that is question best > > answered by the secretmem maintainer. I think this patchset has been posted for long enough with no comments, and no objections, that I can pull this into the selinux/next tree. However, I'll give it until the end of this week just to give folks one last chance to comment. If I don't hear any objections by the end of day on Friday, June 10th I'll go ahead and merge this. --=20 paul-moore.com