lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aD_8z4pd7JcFkAwX@kernel.org>
Date: Wed, 4 Jun 2025 10:59:11 +0300
From: Mike Rapoport <rppt@...nel.org>
To: Ackerley Tng <ackerleytng@...gle.com>
Cc: kvm@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org,
	x86@...nel.org, linux-fsdevel@...r.kernel.org, aik@....com,
	ajones@...tanamicro.com, akpm@...ux-foundation.org,
	amoorthy@...gle.com, anthony.yznaga@...cle.com, anup@...infault.org,
	aou@...s.berkeley.edu, bfoster@...hat.com,
	binbin.wu@...ux.intel.com, brauner@...nel.org,
	catalin.marinas@....com, chao.p.peng@...el.com,
	chenhuacai@...nel.org, dave.hansen@...el.com, david@...hat.com,
	dmatlack@...gle.com, dwmw@...zon.co.uk, erdemaktas@...gle.com,
	fan.du@...el.com, fvdl@...gle.com, graf@...zon.com,
	haibo1.xu@...el.com, hch@...radead.org, hughd@...gle.com,
	ira.weiny@...el.com, isaku.yamahata@...el.com, jack@...e.cz,
	james.morse@....com, jarkko@...nel.org, jgg@...pe.ca,
	jgowans@...zon.com, jhubbard@...dia.com, jroedel@...e.de,
	jthoughton@...gle.com, jun.miao@...el.com, kai.huang@...el.com,
	keirf@...gle.com, kent.overstreet@...ux.dev,
	kirill.shutemov@...el.com, liam.merwick@...cle.com,
	maciej.wieczor-retman@...el.com, mail@...iej.szmigiero.name,
	maz@...nel.org, mic@...ikod.net, michael.roth@....com,
	mpe@...erman.id.au, muchun.song@...ux.dev, nikunj@....com,
	nsaenz@...zon.es, oliver.upton@...ux.dev, palmer@...belt.com,
	pankaj.gupta@....com, paul.walmsley@...ive.com, pbonzini@...hat.com,
	pdurrant@...zon.co.uk, peterx@...hat.com, pgonda@...gle.com,
	pvorel@...e.cz, qperret@...gle.com, quic_cvanscha@...cinc.com,
	quic_eberman@...cinc.com, quic_mnalajal@...cinc.com,
	quic_pderrin@...cinc.com, quic_pheragu@...cinc.com,
	quic_svaddagi@...cinc.com, quic_tsoni@...cinc.com,
	richard.weiyang@...il.com, rick.p.edgecombe@...el.com,
	rientjes@...gle.com, roypat@...zon.co.uk, seanjc@...gle.com,
	shuah@...nel.org, steven.price@....com, steven.sistare@...cle.com,
	suzuki.poulose@....com, tabba@...gle.com, thomas.lendacky@....com,
	vannapurve@...gle.com, vbabka@...e.cz, viro@...iv.linux.org.uk,
	vkuznets@...hat.com, wei.w.wang@...el.com, will@...nel.org,
	willy@...radead.org, xiaoyao.li@...el.com, yan.y.zhao@...el.com,
	yilun.xu@...el.com, yuzenghui@...wei.com, zhiquan1.li@...el.com,
	Paul Moore <paul@...l-moore.com>
Subject: Re: [PATCH 1/2] fs: Provide function that allocates a secure
 anonymous inode

(added Paul Moore for selinux bits)

On Mon, Jun 02, 2025 at 12:17:54PM -0700, Ackerley Tng wrote:
> The new function, alloc_anon_secure_inode(), returns an inode after
> running checks in security_inode_init_security_anon().
> 
> Also refactor secretmem's file creation process to use the new
> function.
> 
> Suggested-by: David Hildenbrand <david@...hat.com>
> Signed-off-by: Ackerley Tng <ackerleytng@...gle.com>
> ---
>  fs/anon_inodes.c   | 22 ++++++++++++++++------
>  include/linux/fs.h |  1 +
>  mm/secretmem.c     |  9 +--------
>  3 files changed, 18 insertions(+), 14 deletions(-)
> 
> diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
> index 583ac81669c2..4c3110378647 100644
> --- a/fs/anon_inodes.c
> +++ b/fs/anon_inodes.c
> @@ -55,17 +55,20 @@ static struct file_system_type anon_inode_fs_type = {
>  	.kill_sb	= kill_anon_super,
>  };
> 
> -static struct inode *anon_inode_make_secure_inode(
> -	const char *name,
> -	const struct inode *context_inode)
> +static struct inode *anon_inode_make_secure_inode(struct super_block *s,
> +		const char *name, const struct inode *context_inode,
> +		bool fs_internal)
>  {
>  	struct inode *inode;
>  	int error;
> 
> -	inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
> +	inode = alloc_anon_inode(s);
>  	if (IS_ERR(inode))
>  		return inode;
> -	inode->i_flags &= ~S_PRIVATE;
> +
> +	if (!fs_internal)
> +		inode->i_flags &= ~S_PRIVATE;
> +
>  	error =	security_inode_init_security_anon(inode, &QSTR(name),
>  						  context_inode);
>  	if (error) {
> @@ -75,6 +78,12 @@ static struct inode *anon_inode_make_secure_inode(
>  	return inode;
>  }
> 
> +struct inode *alloc_anon_secure_inode(struct super_block *s, const char *name)
> +{
> +	return anon_inode_make_secure_inode(s, name, NULL, true);
> +}
> +EXPORT_SYMBOL_GPL(alloc_anon_secure_inode);
> +
>  static struct file *__anon_inode_getfile(const char *name,
>  					 const struct file_operations *fops,
>  					 void *priv, int flags,
> @@ -88,7 +97,8 @@ static struct file *__anon_inode_getfile(const char *name,
>  		return ERR_PTR(-ENOENT);
> 
>  	if (make_inode) {
> -		inode =	anon_inode_make_secure_inode(name, context_inode);
> +		inode = anon_inode_make_secure_inode(anon_inode_mnt->mnt_sb,
> +						     name, context_inode, false);
>  		if (IS_ERR(inode)) {
>  			file = ERR_CAST(inode);
>  			goto err;
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 016b0fe1536e..0fded2e3c661 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -3550,6 +3550,7 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping,
>  extern const struct address_space_operations ram_aops;
>  extern int always_delete_dentry(const struct dentry *);
>  extern struct inode *alloc_anon_inode(struct super_block *);
> +extern struct inode *alloc_anon_secure_inode(struct super_block *, const char *);
>  extern int simple_nosetlease(struct file *, int, struct file_lease **, void **);
>  extern const struct dentry_operations simple_dentry_operations;
> 
> diff --git a/mm/secretmem.c b/mm/secretmem.c
> index 1b0a214ee558..c0e459e58cb6 100644
> --- a/mm/secretmem.c
> +++ b/mm/secretmem.c
> @@ -195,18 +195,11 @@ static struct file *secretmem_file_create(unsigned long flags)
>  	struct file *file;
>  	struct inode *inode;
>  	const char *anon_name = "[secretmem]";
> -	int err;
> 
> -	inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
> +	inode = alloc_anon_secure_inode(secretmem_mnt->mnt_sb, anon_name);
>  	if (IS_ERR(inode))
>  		return ERR_CAST(inode);

I don't think we should not hide secretmem and guest_memfd inodes from
selinux, so clearing S_PRIVATE for them is not needed and you can just drop
fs_internal parameter in anon_inode_make_secure_inode() 

> 
> -	err = security_inode_init_security_anon(inode, &QSTR(anon_name), NULL);
> -	if (err) {
> -		file = ERR_PTR(err);
> -		goto err_free_inode;
> -	}
> -
>  	file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
>  				 O_RDWR, &secretmem_fops);
>  	if (IS_ERR(file))
> --
> 2.49.0.1204.g71687c7c1d-goog

-- 
Sincerely yours,
Mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ