lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <647ab7a4-790f-4858-acf2-0f6bae5b7f99@amd.com>
Date: Mon, 16 Jun 2025 18:30:09 +0530
From: Shivank Garg <shivankg@....com>
To: Ira Weiny <ira.weiny@...el.com>, Paul Moore <paul@...l-moore.com>,
 Mike Rapoport <rppt@...nel.org>
Cc: Ackerley Tng <ackerleytng@...gle.com>,
 linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
 kvm@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org,
 x86@...nel.org, linux-fsdevel@...r.kernel.org, aik@....com,
 ajones@...tanamicro.com, akpm@...ux-foundation.org, amoorthy@...gle.com,
 anthony.yznaga@...cle.com, anup@...infault.org, aou@...s.berkeley.edu,
 bfoster@...hat.com, binbin.wu@...ux.intel.com, brauner@...nel.org,
 catalin.marinas@....com, chao.p.peng@...el.com, chenhuacai@...nel.org,
 dave.hansen@...el.com, david@...hat.com, dmatlack@...gle.com,
 dwmw@...zon.co.uk, erdemaktas@...gle.com, fan.du@...el.com, fvdl@...gle.com,
 graf@...zon.com, haibo1.xu@...el.com, hch@...radead.org, hughd@...gle.com,
 isaku.yamahata@...el.com, jack@...e.cz, james.morse@....com,
 jarkko@...nel.org, jgg@...pe.ca, jgowans@...zon.com, jhubbard@...dia.com,
 jroedel@...e.de, jthoughton@...gle.com, jun.miao@...el.com,
 kai.huang@...el.com, keirf@...gle.com, kent.overstreet@...ux.dev,
 kirill.shutemov@...el.com, liam.merwick@...cle.com,
 maciej.wieczor-retman@...el.com, mail@...iej.szmigiero.name, maz@...nel.org,
 mic@...ikod.net, michael.roth@....com, mpe@...erman.id.au,
 muchun.song@...ux.dev, nikunj@....com, nsaenz@...zon.es,
 oliver.upton@...ux.dev, palmer@...belt.com, pankaj.gupta@....com,
 paul.walmsley@...ive.com, pbonzini@...hat.com, pdurrant@...zon.co.uk,
 peterx@...hat.com, pgonda@...gle.com, pvorel@...e.cz, qperret@...gle.com,
 quic_cvanscha@...cinc.com, quic_eberman@...cinc.com,
 quic_mnalajal@...cinc.com, quic_pderrin@...cinc.com,
 quic_pheragu@...cinc.com, quic_svaddagi@...cinc.com, quic_tsoni@...cinc.com,
 richard.weiyang@...il.com, rick.p.edgecombe@...el.com, rientjes@...gle.com,
 roypat@...zon.co.uk, seanjc@...gle.com, shuah@...nel.org,
 steven.price@....com, steven.sistare@...cle.com, suzuki.poulose@....com,
 tabba@...gle.com, thomas.lendacky@....com, vannapurve@...gle.com,
 vbabka@...e.cz, viro@...iv.linux.org.uk, vkuznets@...hat.com,
 wei.w.wang@...el.com, will@...nel.org, willy@...radead.org,
 xiaoyao.li@...el.com, yan.y.zhao@...el.com, yilun.xu@...el.com,
 yuzenghui@...wei.com, zhiquan1.li@...el.com
Subject: Re: [PATCH 1/2] fs: Provide function that allocates a secure
 anonymous inode



On 6/6/2025 8:39 PM, Ira Weiny wrote:
> Paul Moore wrote:
>> On Thu, Jun 5, 2025 at 1:50 AM Mike Rapoport <rppt@...nel.org> wrote:
>>>
>>> secretmem always had S_PRIVATE set because alloc_anon_inode() clears it
>>> anyway and this patch does not change it.
>>
>> Yes, my apologies, I didn't look closely enough at the code.
>>
>>> I'm just thinking that it makes sense to actually allow LSM/SELinux
>>> controls that S_PRIVATE bypasses for both secretmem and guest_memfd.
>>
>> It's been a while since we added the anon_inode hooks so I'd have to
>> go dig through the old thread to understand the logic behind marking
>> secretmem S_PRIVATE, especially when the
>> anon_inode_make_secure_inode() function cleared it.  It's entirely
>> possible it may have just been an oversight.
> 
> I'm jumping in where I don't know what I'm talking about...
> 
> But my reading of the S_PRIVATE flag is that the memory can't be mapped by
> user space.  So for guest_memfd() we need !S_PRIVATE because it is
> intended to be mapped by user space.  So we want the secure checks.
> 
> I think secretmem is the same.
> 
> Do I have that right?


Hi Mike, Paul,

If I understand correctly,
we need to clear the S_PRIVATE flag for all secure inodes. The S_PRIVATE flag was previously
set for  secretmem (via alloc_anon_inode()), which caused security checks to be 
bypassed - this was unintentional since the original anon_inode_make_secure_inode() 
was already clearing it.

Both secretmem and guest_memfd create file descriptors
(memfd_create/kvm_create_guest_memfd)
so they should be subject to LSM/SELinux security policies rather than bypassing them with S_PRIVATE?

static struct inode *anon_inode_make_secure_inode(struct super_block *s,
		const char *name, const struct inode *context_inode)
{
...
	/* Clear S_PRIVATE for all inodes*/
	inode->i_flags &= ~S_PRIVATE;
...
}

Please let me know if this conclusion makes sense?

Thanks,
Shivank

> 
> Ira
> 
> [snip]
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ