From: Mike Rapoport <rppt@kernel.org>
To: Christian Brauner <brauner@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>, Shivank Garg <shivankg@amd.com>,
david@redhat.com, akpm@linux-foundation.org, paul@paul-moore.com,
viro@zeniv.linux.org.uk, seanjc@google.com, willy@infradead.org,
pbonzini@redhat.com, tabba@google.com, afranji@google.com,
ackerleytng@google.com, jack@suse.cz, hch@infradead.org,
cgzones@googlemail.com, ira.weiny@intel.com, roypat@amazon.co.uk,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
Date: Thu, 19 Jun 2025 15:19:25 +0300 [thread overview]
Message-ID: <aFQATWEX2h4LaQZb@kernel.org> (raw)
In-Reply-To: <20250619-ablichten-korpulent-0efe2ddd0ee6@brauner>
On Thu, Jun 19, 2025 at 02:06:17PM +0200, Christian Brauner wrote:
> On Thu, Jun 19, 2025 at 02:01:22PM +0300, Mike Rapoport wrote:
> > On Thu, Jun 19, 2025 at 12:38:25PM +0200, Christian Brauner wrote:
> > > On Thu, Jun 19, 2025 at 11:13:49AM +0200, Vlastimil Babka wrote:
> > > > On 6/19/25 09:31, Shivank Garg wrote:
> > > > > Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
> > > > > anonymous inodes with proper security context. This replaces the current
> > > > > pattern of calling alloc_anon_inode() followed by
> > > > > inode_init_security_anon() for creating security context manually.
> > > > >
> > > > > This change also fixes a security regression in secretmem where the
> > > > > S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
> > > > > LSM/SELinux checks to be bypassed for secretmem file descriptors.
> > > > >
> > > > > As guest_memfd currently resides in the KVM module, we need to export this
> > > >
> > > > Could we use the new EXPORT_SYMBOL_GPL_FOR_MODULES() thingy to make this
> > > > explicit for KVM?
> > >
> > > Oh? Enlighten me about that, if you have a second, please.
> >
> > From Documentation/core-api/symbol-namespaces.rst:
> >
> > The macro takes a comma separated list of module names, allowing only those
> > modules to access this symbol. Simple tail-globs are supported.
> >
> > For example::
> >
> > EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
> >
> > will limit usage of this symbol to modules whoes name matches the given
> > patterns.
>
> Is that still mostly advisory and can still be easily circumenvented?
The commit message says
will limit the use of said function to kvm.ko, any other module trying
to use this symbol will refure to load (and get modpost build
failures).
--
Sincerely yours,
Mike.
next prev parent reply other threads:[~2025-06-19 12:19 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-19 7:31 [PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Shivank Garg
2025-06-19 8:45 ` Christian Brauner
2025-06-19 9:13 ` Vlastimil Babka
2025-06-19 9:53 ` Shivank Garg
2025-06-19 10:38 ` Christian Brauner
2025-06-19 11:01 ` Mike Rapoport
2025-06-19 12:06 ` Christian Brauner
2025-06-19 12:19 ` Mike Rapoport [this message]
2025-06-20 15:02 ` Sean Christopherson
2025-06-23 5:32 ` Shivank Garg
2025-06-23 10:16 ` Christian Brauner
2025-06-23 14:00 ` Christoph Hellwig
2025-06-23 14:01 ` Christoph Hellwig
2025-06-23 14:21 ` Vlastimil Babka
2025-06-23 14:22 ` Christoph Hellwig
2025-06-23 14:28 ` Peter Zijlstra
2025-06-24 9:02 ` Christian Brauner
2025-06-25 9:05 ` Christian Brauner
2025-06-25 9:18 ` Vlastimil Babka
2025-06-25 8:02 ` Vlastimil Babka
2025-06-25 8:09 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aFQATWEX2h4LaQZb@kernel.org \
--to=rppt@kernel.org \
--cc=ackerleytng@google.com \
--cc=afranji@google.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=cgzones@googlemail.com \
--cc=david@redhat.com \
--cc=hch@infradead.org \
--cc=ira.weiny@intel.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pbonzini@redhat.com \
--cc=roypat@amazon.co.uk \
--cc=seanjc@google.com \
--cc=shivankg@amd.com \
--cc=tabba@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).