From: Paul Moore <paul@paul-moore.com>
To: Shivank Garg <shivankg@amd.com>, <david@redhat.com>,
<akpm@linux-foundation.org>, <brauner@kernel.org>,
<rppt@kernel.org>, <viro@zeniv.linux.org.uk>
Cc: <seanjc@google.com>, <vbabka@suse.cz>, <willy@infradead.org>,
<pbonzini@redhat.com>, <tabba@google.com>, <afranji@google.com>,
<ackerleytng@google.com>, <shivankg@amd.com>, <jack@suse.cz>,
<hch@infradead.org>, <cgzones@googlemail.com>,
<ira.weiny@intel.com>, <roypat@amazon.co.uk>,
<linux-fsdevel@vger.kernel.org>, <linux-mm@kvack.org>,
<linux-kernel@vger.kernel.org>,
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v3] fs: generalize anon_inode_make_secure_inode() and fix secretmem LSM bypass
Date: Wed, 02 Jul 2025 22:13:16 -0400 [thread overview]
Message-ID: <a888364d0562815ca7e848b4d4f5b629@paul-moore.com> (raw)
In-Reply-To: <20250626191425.9645-5-shivankg@amd.com>
On Jun 26, 2025 Shivank Garg <shivankg@amd.com> wrote:
>
> Extend anon_inode_make_secure_inode() to take superblock parameter and
> make it available via fs.h. This allows other subsystems to create
> anonymous inodes with proper security context.
>
> Use this function in secretmem to fix a security regression, where
> S_PRIVATE flag wasn't cleared after alloc_anon_inode(), causing
> LSM/SELinux checks to be skipped.
>
> Using anon_inode_make_secure_inode() ensures proper security context
> initialization through security_inode_init_security_anon().
>
> Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes")
> Suggested-by: David Hildenbrand <david@redhat.com>
> Suggested-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
> Signed-off-by: Shivank Garg <shivankg@amd.com>
> Acked-by: Pankaj Gupta <pankaj.gupta@amd.com>
> Reviewed-by: Ira Weiny <ira.weiny@intel.com>
> ---
> The handling of the S_PRIVATE flag for these inodes was discussed
> extensively ([1], [2], [3]).
>
> As per discussion [3] with Mike and Paul, KVM guest_memfd and secretmem
> result in user-visible file descriptors, so they should be subject to
> LSM/SELinux security policies rather than bypassing them with S_PRIVATE.
>
> [1] https://lore.kernel.org/all/b9e5fa41-62fd-4b3d-bb2d-24ae9d3c33da@redhat.com
> [2] https://lore.kernel.org/all/cover.1748890962.git.ackerleytng@google.com
> [3] https://lore.kernel.org/all/aFOh8N_rRdSi_Fbc@kernel.org
>
> V3:
> - Drop EXPORT to be added later in separate patch for KVM guest_memfd and
> keep this patch focused on fix.
>
> V2: https://lore.kernel.org/all/20250620070328.803704-3-shivankg@amd.com
> - Use EXPORT_SYMBOL_GPL_FOR_MODULES() since KVM is the only user.
>
> V1: https://lore.kernel.org/all/20250619073136.506022-2-shivankg@amd.com
>
> fs/anon_inodes.c | 22 +++++++++++++++++-----
> include/linux/fs.h | 2 ++
> mm/secretmem.c | 9 +--------
> 3 files changed, 20 insertions(+), 13 deletions(-)
Thanks again for your continued work on this! I think the patch looks
pretty reasonable, but it would be good to hear a bit about how you've
tested this before ACK'ing the patch. For example, have you tested this
against any of the LSMs which provide anonymous inode support?
At the very least, the selinux-testsuite has a basic secretmem test, it
would be good to know if the test passes with this patch or if any
additional work is needed to ensure compatibility.
https://github.com/SELinuxProject/selinux-testsuite
--
paul-moore.com
next prev parent reply other threads:[~2025-07-03 2:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-26 19:14 [PATCH V3] fs: generalize anon_inode_make_secure_inode() and fix secretmem LSM bypass Shivank Garg
2025-06-27 8:27 ` Gupta, Pankaj
2025-06-27 18:21 ` Ira Weiny
2025-07-01 8:33 ` Christian Brauner
2025-07-07 5:23 ` Shivank Garg
2025-07-03 2:13 ` Paul Moore [this message]
2025-07-04 10:41 ` [PATCH v3] " Shivank Garg
2025-07-07 20:01 ` Paul Moore
2025-07-07 20:38 ` Chris PeBenito
2025-07-08 2:45 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a888364d0562815ca7e848b4d4f5b629@paul-moore.com \
--to=paul@paul-moore.com \
--cc=ackerleytng@google.com \
--cc=afranji@google.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=cgzones@googlemail.com \
--cc=david@redhat.com \
--cc=hch@infradead.org \
--cc=ira.weiny@intel.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=roypat@amazon.co.uk \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=shivankg@amd.com \
--cc=tabba@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).