| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhSbWJ-8tj5BxSTxznGO8zraKRSE31a+tqdfMHB53ef-MQ@mail.gmail.com> Date: Sun, 21 Sep 2025 14:31:37 -0400 From: Paul Moore <paul@...l-moore.com> To: Thiébaud Weksteen <tweek@...gle.com>, Hugh Dickins <hughd@...gle.com> Cc: James Morris <jmorris@...ei.org>, Stephen Smalley <stephen.smalley.work@...il.com>, Jeff Vander Stoep <jeffv@...gle.com>, Nick Kralevich <nnk@...gle.com>, Jeff Xu <jeffxu@...gle.com>, Baolin Wang <baolin.wang@...ux.alibaba.com>, Isaac Manjarres <isaacmanjarres@...gle.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...r.kernel.org, linux-mm@...ck.org Subject: Re: [PATCH v3] memfd,selinux: call security_inode_init_security_anon On Wed, Sep 17, 2025 at 10:04 PM Thiébaud Weksteen <tweek@...gle.com> wrote: > > Prior to this change, no security hooks were called at the creation of a > memfd file. It means that, for SELinux as an example, it will receive > the default type of the filesystem that backs the in-memory inode. In > most cases, that would be tmpfs, but if MFD_HUGETLB is passed, it will > be hugetlbfs. Both can be considered implementation details of memfd. > > It also means that it is not possible to differentiate between a file > coming from memfd_create and a file coming from a standard tmpfs mount > point. > > Additionally, no permission is validated at creation, which differs from > the similar memfd_secret syscall. > > Call security_inode_init_security_anon during creation. This ensures > that the file is setup similarly to other anonymous inodes. On SELinux, > it means that the file will receive the security context of its task. > > The ability to limit fexecve on memfd has been of interest to avoid > potential pitfalls where /proc/self/exe or similar would be executed > [1][2]. Reuse the "execute_no_trans" and "entrypoint" access vectors, > similarly to the file class. These access vectors may not make sense for > the existing "anon_inode" class. Therefore, define and assign a new > class "memfd_file" to support such access vectors. > > Guard these changes behind a new policy capability named "memfd_class". > > [1] https://crbug.com/1305267 > [2] https://lore.kernel.org/lkml/20221215001205.51969-1-jeffxu@google.com/ > > Signed-off-by: Thiébaud Weksteen <tweek@...gle.com> > --- > Changes since v2: > - Add WARN_ON when using unexpected class. Return -EACCES instead > of -EPERM > - Remove extra new line > - Rebase on selinux/dev > > Changes since v1: > - Move test of class earlier in selinux_bprm_creds_for_exec > - Remove duplicate call to security_transition_sid > > Changes since RFC: > - Remove enum argument, simply compare the anon inode name > - Introduce a policy capability for compatility > - Add validation of class in selinux_bprm_creds_for_exec > include/linux/memfd.h | 2 ++ > mm/memfd.c | 14 ++++++++++-- > security/selinux/hooks.c | 26 +++++++++++++++++----- > security/selinux/include/classmap.h | 2 ++ > security/selinux/include/policycap.h | 1 + > security/selinux/include/policycap_names.h | 1 + > security/selinux/include/security.h | 5 +++++ > 7 files changed, 44 insertions(+), 7 deletions(-) Thanks Thiébaud, I'm going to merge this into selinux/dev-staging now with the plan to move it over to selinux/dev after the upcoming merge window closes. Hugh, since the changes between this patch and the v2 you ACK'd are minimal and limited to the SELinux error handling code (see diff below), I'm going to carry over your ACK, but if you have any concerns or objections please let us know. Thanks everyone! -- paul-moore.com
Powered by blists - more mailing lists