lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250624-einwickeln-geflecht-f9cc9cc67d3c@brauner>
Date: Tue, 24 Jun 2025 11:02:08 +0200
From: Christian Brauner <brauner@...nel.org>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Vlastimil Babka <vbabka@...e.cz>, 
	Christoph Hellwig <hch@...radead.org>, Sean Christopherson <seanjc@...gle.com>, 
	Mike Rapoport <rppt@...nel.org>, Shivank Garg <shivankg@....com>, david@...hat.com, 
	akpm@...ux-foundation.org, paul@...l-moore.com, viro@...iv.linux.org.uk, 
	willy@...radead.org, pbonzini@...hat.com, tabba@...gle.com, afranji@...gle.com, 
	ackerleytng@...gle.com, jack@...e.cz, cgzones@...glemail.com, ira.weiny@...el.com, 
	roypat@...zon.co.uk, linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, 
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] fs: export anon_inode_make_secure_inode() and fix
 secretmem LSM bypass

On Mon, Jun 23, 2025 at 04:28:36PM +0200, Peter Zijlstra wrote:
> On Mon, Jun 23, 2025 at 04:21:15PM +0200, Vlastimil Babka wrote:
> > On 6/23/25 16:01, Christoph Hellwig wrote:
> > > On Mon, Jun 23, 2025 at 07:00:39AM -0700, Christoph Hellwig wrote:
> > >> On Mon, Jun 23, 2025 at 12:16:27PM +0200, Christian Brauner wrote:
> > >> > I'm more than happy to switch a bunch of our exports so that we only
> > >> > allow them for specific modules. But for that we also need
> > >> > EXPOR_SYMBOL_FOR_MODULES() so we can switch our non-gpl versions.
> > >> 
> > >> Huh?  Any export for a specific in-tree module (or set thereof) is
> > >> by definition internals and an _GPL export if perfectly fine and
> > >> expected.
> > 
> > Peterz tells me EXPORT_SYMBOL_GPL_FOR_MODULES() is not limited to in-tree
> > modules, so external module with GPL and matching name can import.
> > 
> > But if we're targetting in-tree stuff like kvm, we don't need to provide a
> > non-GPL variant I think?
> 
> So the purpose was to limit specific symbols to known in-tree module
> users (hence GPL only).
> 
> Eg. KVM; x86 exports a fair amount of low level stuff just because KVM.
> Nobody else should be touching those symbols.
> 
> If you have a pile of symbols for !GPL / out-of-tree consumers, it
> doesn't really make sense to limit the export to a named set of modules,
> does it?
> 
> So yes, nothing limits things to in-tree modules per-se. The
> infrastructure only really cares about module names (and implicitly
> trusts the OS to not overwrite existing kernel modules etc.). So you
> could add an out-of-tree module name to the list (or have an out-of-free
> module have a name that matches a glob; "kvm-vmware" would match "kvm-*"
> for example).
> 
> But that is very much beyond the intention of things.

So I'm not well-versed in all the GPL vs non-GPL exports. I'm thinking
of cases like EXPORT_SYMBOL(fget_task_next); That's exposed to gfs2 (and
bpf but that's built-in). I see no reason to risk spreading the usage of
that special-thing to anywhere else. So I would use
EXPORT_*_FOR_MODULES(gfs2) for this and we'd notice if anything else is
trying to use that thing.

Another excellent candidate is:

  /*
   * synchronous analog of fput(); for kernel threads that might be needed
   * in some umount() (and thus can't use flush_delayed_fput() without
   * risking deadlocks), need to wait for completion of __fput() and know
   * for this specific struct file it won't involve anything that would
   * need them.  Use only if you really need it - at the very least,
   * don't blindly convert fput() by kernel thread to that.
   */
  void __fput_sync(struct file *file)
  {
          if (file_ref_put(&file->f_ref))
                  __fput(file);
  }
  EXPORT_SYMBOL(__fput_sync);

That thing worries me to no end because that can be used to wreak all
kinds of havoc and I want that thing tied down so no one can even look
at it without getting a compile time or runtime error that we can
immediately notice. So for that as well I want to allow-list modules
that we have explictly acknowledged to use it.

But iiuc I can't just switch that non-GPL exported symbol to a GPL
exported symbol. And I don't want to be involved in some kind of
ideological warfare around that stuff.

I care about not growing more users of __fput_sync(). So any advice is
appreciated.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ