Thread (6 messages) 6 messages, 4 authors, 2025-06-19

Re: [PATCH 1/2] fs: Provide function that allocates a secure anonymous inode

From: Mike Rapoport <rppt@kernel.org>
Date: 2025-06-19 05:37:21
Also in: kvm, linux-fsdevel, linux-mm, lkml, selinux 

On Mon, Jun 16, 2025 at 06:30:09PM +0530, Shivank Garg wrote:

On 6/6/2025 8:39 PM, Ira Weiny wrote:
quoted
Paul Moore wrote:
quoted
On Thu, Jun 5, 2025 at 1:50 AM Mike Rapoport [off-list ref] wrote:
quoted
secretmem always had S_PRIVATE set because alloc_anon_inode() clears it
anyway and this patch does not change it.
Yes, my apologies, I didn't look closely enough at the code.
quoted
I'm just thinking that it makes sense to actually allow LSM/SELinux
controls that S_PRIVATE bypasses for both secretmem and guest_memfd.
It's been a while since we added the anon_inode hooks so I'd have to
go dig through the old thread to understand the logic behind marking
secretmem S_PRIVATE, especially when the
anon_inode_make_secure_inode() function cleared it.  It's entirely
possible it may have just been an oversight.
anon_inode_make_secure_inode() was introduced when more than 10 versions of
secretmem already were posted so it didn't jump at me to replace
alloc_anon_inode() with anon_inode_make_secure_inode().
quoted
I'm jumping in where I don't know what I'm talking about...

But my reading of the S_PRIVATE flag is that the memory can't be mapped by
user space.  So for guest_memfd() we need !S_PRIVATE because it is
intended to be mapped by user space.  So we want the secure checks.

I think secretmem is the same.
Agree.
quoted
Do I have that right?

Hi Mike, Paul,

If I understand correctly,
we need to clear the S_PRIVATE flag for all secure inodes. The S_PRIVATE flag was previously
set for  secretmem (via alloc_anon_inode()), which caused security checks to be 
bypassed - this was unintentional since the original anon_inode_make_secure_inode() 
was already clearing it.

Both secretmem and guest_memfd create file descriptors
(memfd_create/kvm_create_guest_memfd)
so they should be subject to LSM/SELinux security policies rather than bypassing them with S_PRIVATE?

static struct inode *anon_inode_make_secure_inode(struct super_block *s,
		const char *name, const struct inode *context_inode)
{
...
	/* Clear S_PRIVATE for all inodes*/
	inode->i_flags &= ~S_PRIVATE;
...
}

Please let me know if this conclusion makes sense?
Yes, makes sense to me.
 
Thanks,
Shivank
-- 
Sincerely yours,
Mike.
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help