| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aFOh8N_rRdSi_Fbc@kernel.org>
Date: Thu, 19 Jun 2025 08:36:48 +0300
From: Mike Rapoport <rppt@...nel.org>
To: Shivank Garg <shivankg@....com>
Cc: Ira Weiny <ira.weiny@...el.com>, Paul Moore <paul@...l-moore.com>,
Ackerley Tng <ackerleytng@...gle.com>,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
kvm@...r.kernel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, x86@...nel.org,
linux-fsdevel@...r.kernel.org, aik@....com, ajones@...tanamicro.com,
akpm@...ux-foundation.org, amoorthy@...gle.com,
anthony.yznaga@...cle.com, anup@...infault.org,
aou@...s.berkeley.edu, bfoster@...hat.com,
binbin.wu@...ux.intel.com, brauner@...nel.org,
catalin.marinas@....com, chao.p.peng@...el.com,
chenhuacai@...nel.org, dave.hansen@...el.com, david@...hat.com,
dmatlack@...gle.com, dwmw@...zon.co.uk, erdemaktas@...gle.com,
fan.du@...el.com, fvdl@...gle.com, graf@...zon.com,
haibo1.xu@...el.com, hch@...radead.org, hughd@...gle.com,
isaku.yamahata@...el.com, jack@...e.cz, james.morse@....com,
jarkko@...nel.org, jgg@...pe.ca, jgowans@...zon.com,
jhubbard@...dia.com, jroedel@...e.de, jthoughton@...gle.com,
jun.miao@...el.com, kai.huang@...el.com, keirf@...gle.com,
kent.overstreet@...ux.dev, kirill.shutemov@...el.com,
liam.merwick@...cle.com, maciej.wieczor-retman@...el.com,
mail@...iej.szmigiero.name, maz@...nel.org, mic@...ikod.net,
michael.roth@....com, mpe@...erman.id.au, muchun.song@...ux.dev,
nikunj@....com, nsaenz@...zon.es, oliver.upton@...ux.dev,
palmer@...belt.com, pankaj.gupta@....com, paul.walmsley@...ive.com,
pbonzini@...hat.com, pdurrant@...zon.co.uk, peterx@...hat.com,
pgonda@...gle.com, pvorel@...e.cz, qperret@...gle.com,
quic_cvanscha@...cinc.com, quic_eberman@...cinc.com,
quic_mnalajal@...cinc.com, quic_pderrin@...cinc.com,
quic_pheragu@...cinc.com, quic_svaddagi@...cinc.com,
quic_tsoni@...cinc.com, richard.weiyang@...il.com,
rick.p.edgecombe@...el.com, rientjes@...gle.com,
roypat@...zon.co.uk, seanjc@...gle.com, shuah@...nel.org,
steven.price@....com, steven.sistare@...cle.com,
suzuki.poulose@....com, tabba@...gle.com, thomas.lendacky@....com,
vannapurve@...gle.com, vbabka@...e.cz, viro@...iv.linux.org.uk,
vkuznets@...hat.com, wei.w.wang@...el.com, will@...nel.org,
willy@...radead.org, xiaoyao.li@...el.com, yan.y.zhao@...el.com,
yilun.xu@...el.com, yuzenghui@...wei.com, zhiquan1.li@...el.com
Subject: Re: [PATCH 1/2] fs: Provide function that allocates a secure
anonymous inode
On Mon, Jun 16, 2025 at 06:30:09PM +0530, Shivank Garg wrote:
>
>
> On 6/6/2025 8:39 PM, Ira Weiny wrote:
> > Paul Moore wrote:
> >> On Thu, Jun 5, 2025 at 1:50 AM Mike Rapoport <rppt@...nel.org> wrote:
> >>>
> >>> secretmem always had S_PRIVATE set because alloc_anon_inode() clears it
> >>> anyway and this patch does not change it.
> >>
> >> Yes, my apologies, I didn't look closely enough at the code.
> >>
> >>> I'm just thinking that it makes sense to actually allow LSM/SELinux
> >>> controls that S_PRIVATE bypasses for both secretmem and guest_memfd.
> >>
> >> It's been a while since we added the anon_inode hooks so I'd have to
> >> go dig through the old thread to understand the logic behind marking
> >> secretmem S_PRIVATE, especially when the
> >> anon_inode_make_secure_inode() function cleared it. It's entirely
> >> possible it may have just been an oversight.
anon_inode_make_secure_inode() was introduced when more than 10 versions of
secretmem already were posted so it didn't jump at me to replace
alloc_anon_inode() with anon_inode_make_secure_inode().
> > I'm jumping in where I don't know what I'm talking about...
> >
> > But my reading of the S_PRIVATE flag is that the memory can't be mapped by
> > user space. So for guest_memfd() we need !S_PRIVATE because it is
> > intended to be mapped by user space. So we want the secure checks.
> >
> > I think secretmem is the same.
Agree.
> > Do I have that right?
>
>
> Hi Mike, Paul,
>
> If I understand correctly,
> we need to clear the S_PRIVATE flag for all secure inodes. The S_PRIVATE flag was previously
> set for secretmem (via alloc_anon_inode()), which caused security checks to be
> bypassed - this was unintentional since the original anon_inode_make_secure_inode()
> was already clearing it.
>
> Both secretmem and guest_memfd create file descriptors
> (memfd_create/kvm_create_guest_memfd)
> so they should be subject to LSM/SELinux security policies rather than bypassing them with S_PRIVATE?
>
> static struct inode *anon_inode_make_secure_inode(struct super_block *s,
> const char *name, const struct inode *context_inode)
> {
> ...
> /* Clear S_PRIVATE for all inodes*/
> inode->i_flags &= ~S_PRIVATE;
> ...
> }
>
> Please let me know if this conclusion makes sense?
Yes, makes sense to me.
> Thanks,
> Shivank
--
Sincerely yours,
Mike.
Powered by blists - more mailing lists