From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8254C433EF for ; Mon, 2 May 2022 13:45:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1385346AbiEBNtX (ORCPT ); Mon, 2 May 2022 09:49:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385518AbiEBNtU (ORCPT ); Mon, 2 May 2022 09:49:20 -0400 Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0786512614; Mon, 2 May 2022 06:45:52 -0700 (PDT) Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-ed9ac77cbbso3710387fac.1; Mon, 02 May 2022 06:45:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=; b=Y9Ge8Zh0P8Nn7vrmdfyiKMNSXTRSp9YFHQZim+UHkCEFcfwdVdW7Vb8ezfueGEUcHa B1aAFddnxIPGLjcRzkP7XtGk2dlF8RTkPlKJaCYmt9O1naej9QSykekHptyii+fwZRQy l1EWiBVCqbJWRkZ4Klnvtx0ozhx62AmU09qkR9Ola2hClwQjEQZyfYh6q/uEpQuAyrm/ YDfjUjrwscX61c0ALQUvQcDFIU5370j4EfVKP7iQobmAodMzzuNMPCmW4S2LWhgAbo8X VwWzk9s3kNbfC3hUgXGX/2R2pel9rOhniwQEMnG5Tpm9jRGvRtVuWVtt1ofUS4hLNBNY P3Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=; b=GlaqFoK98nXaEEYvyCg7kUV2gvAIhFDe7jvAcGk5OPws8WwO7CX7y7roSQPVnZVebg 80brvven4c0dIYkmGfxyCDAmYaEayqTQRgjJRVU+06XTVWojlpFudpuyNQiwAqqIKLMG nz0hSosO/BoWUL2TayosZULy7xhUG4rM3PjX7C9omb0ghmO5KsFMmwabF/pHkjP7uwee emPp6qXPpnRkyk9Io72nKjmhAhcmK1vxKdbKvjjTOVcCjzgPzD/m8mIIUbWM2gUrA0hL LS627xsLm+EnZyCz2hk4LxvI/7LA6UjE7jsntNZXV8DWnhMQ09KU+KNAFgZQYyNn9A2N 6c1w== X-Gm-Message-State: AOAM531tY60jo5iauU6oCT2LzUvclGVdGN4j9DcdeIMxf9NkYrvNj747 F+dw6UGdetW9/GvaGgmNo1t/1naRFi4rZ2G5mZs= X-Google-Smtp-Source: ABdhPJx5rwU6X5NnnuNmcAS5EItDn5UYn1+bETi6E6Je7tDTBL6rzvnM5hyy2El994VvmDm+qlbjgH1Ln9bev9p14BE= X-Received: by 2002:a05:6870:5b8a:b0:e6:589e:201d with SMTP id em10-20020a0568705b8a00b000e6589e201dmr6394064oab.71.1651499145960; Mon, 02 May 2022 06:45:45 -0700 (PDT) MIME-Version: 1.0 References: <20220125143304.34628-1-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Mon, 2 May 2022 15:45:35 +0200 Message-ID: Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes To: Paul Moore Cc: SElinux list , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , Andrew Morton , linux-mm@kvack.org, Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: On Thu, 17 Feb 2022 at 23:32, Paul Moore wrote: > > On Thu, Feb 17, 2022 at 9:24 AM Christian G=C3=B6ttsche > wrote: > > On Thu, 27 Jan 2022 at 00:01, Paul Moore wrote: > > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche > > > wrote: > > > > > > > > Create a security context for the inodes created by memfd_secret(2)= via > > > > the LSM hook inode_init_security_anon to allow a fine grained contr= ol. > > > > As secret memory areas can affect hibernation and have a global sha= red > > > > limit access control might be desirable. > > > > > > > > Signed-off-by: Christian G=C3=B6ttsche > > > > --- > > > > An alternative way of checking memfd_secret(2) is to create a new L= SM > > > > hook and e.g. for SELinux check via a new process class permission. > > > > --- > > > > mm/secretmem.c | 9 +++++++++ > > > > 1 file changed, 9 insertions(+) > > > > > > This seems reasonable to me, and I like the idea of labeling the anon > > > inode as opposed to creating a new set of LSM hooks. If we want to > > > apply access control policy to the memfd_secret() fds we are going to > > > need to attach some sort of LSM state to the inode, we might as well > > > use the mechanism we already have instead of inventing another one. > > > > Any further comments (on design or implementation)? > > > > Should I resend a non-rfc? > > I personally would really like to see a selinux-testsuite for this so > that we can verify it works not just now but in the future too. I > think having a test would also help demonstrate the usefulness of the > additional LSM controls. > Any comments (especially from the mm people)? Draft SELinux testsuite patch: https://github.com/SELinuxProject/selinux-testsuite/pull/80 > > One naming question: > > Should the anonymous inode class be named "[secretmem]", like > > "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"? > > The pr_fmt() string in mm/secretmem.c uses "secretmem" so I would > suggest sticking with "[secretmem]", although that is question best > answered by the secretmem maintainer. > > -- > paul-moore.com