lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aFQATWEX2h4LaQZb@kernel.org>
Date: Thu, 19 Jun 2025 15:19:25 +0300
From: Mike Rapoport <rppt@...nel.org>
To: Christian Brauner <brauner@...nel.org>
Cc: Vlastimil Babka <vbabka@...e.cz>, Shivank Garg <shivankg@....com>,
	david@...hat.com, akpm@...ux-foundation.org, paul@...l-moore.com,
	viro@...iv.linux.org.uk, seanjc@...gle.com, willy@...radead.org,
	pbonzini@...hat.com, tabba@...gle.com, afranji@...gle.com,
	ackerleytng@...gle.com, jack@...e.cz, hch@...radead.org,
	cgzones@...glemail.com, ira.weiny@...el.com, roypat@...zon.co.uk,
	linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] fs: export anon_inode_make_secure_inode() and fix
 secretmem LSM bypass

On Thu, Jun 19, 2025 at 02:06:17PM +0200, Christian Brauner wrote:
> On Thu, Jun 19, 2025 at 02:01:22PM +0300, Mike Rapoport wrote:
> > On Thu, Jun 19, 2025 at 12:38:25PM +0200, Christian Brauner wrote:
> > > On Thu, Jun 19, 2025 at 11:13:49AM +0200, Vlastimil Babka wrote:
> > > > On 6/19/25 09:31, Shivank Garg wrote:
> > > > > Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
> > > > > anonymous inodes with proper security context. This replaces the current
> > > > > pattern of calling alloc_anon_inode() followed by
> > > > > inode_init_security_anon() for creating security context manually.
> > > > > 
> > > > > This change also fixes a security regression in secretmem where the
> > > > > S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
> > > > > LSM/SELinux checks to be bypassed for secretmem file descriptors.
> > > > > 
> > > > > As guest_memfd currently resides in the KVM module, we need to export this
> > > > 
> > > > Could we use the new EXPORT_SYMBOL_GPL_FOR_MODULES() thingy to make this
> > > > explicit for KVM?
> > > 
> > > Oh? Enlighten me about that, if you have a second, please. 
> > 
> > From Documentation/core-api/symbol-namespaces.rst:
> > 
> > The macro takes a comma separated list of module names, allowing only those
> > modules to access this symbol. Simple tail-globs are supported.
> > 
> > For example::
> > 
> >   EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
> > 
> > will limit usage of this symbol to modules whoes name matches the given
> > patterns.
> 
> Is that still mostly advisory and can still be easily circumenvented?

The commit message says

   will limit the use of said function to kvm.ko, any other module trying
   to use this symbol will refure to load (and get modpost build
   failures).
 
-- 
Sincerely yours,
Mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ