From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BA85C433F5 for ; Thu, 17 Feb 2022 14:24:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 933E46B0074; Thu, 17 Feb 2022 09:24:55 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8E4616B0075; Thu, 17 Feb 2022 09:24:55 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7857F6B0078; Thu, 17 Feb 2022 09:24:55 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0230.hostedemail.com [216.40.44.230]) by kanga.kvack.org (Postfix) with ESMTP id 6AAC36B0074 for ; Thu, 17 Feb 2022 09:24:55 -0500 (EST) Received: from smtpin16.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 2C4D895293 for ; Thu, 17 Feb 2022 14:24:55 +0000 (UTC) X-FDA: 79152493350.16.9D1F595 Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com [209.85.167.180]) by imf16.hostedemail.com (Postfix) with ESMTP id BDB12180005 for ; Thu, 17 Feb 2022 14:24:54 +0000 (UTC) Received: by mail-oi1-f180.google.com with SMTP id r27so6012193oiw.4 for ; Thu, 17 Feb 2022 06:24:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1hgyMGgqm2l0K029MbAV7HB50NHopCA50vfzIyF3//M=; b=gQIB0sLtPnj5zwwT6gSkOleVRcwWPRVCa1YooIVwsnJQdqp3MZFTwxOgBj4PIVqMR9 HqLVXmmGuTj92Uye5WSlg/rwABYU9/nGb62XzyB+OdvtXNA1wlnjp1bq8XeCgYrNCmxN pqERattXxPcSY+V14OZunWDZjVg/p6wlKR1VgBQudZ0phigkvc1yr2w4jWVqLIxKA2rx ivP0IcPyTN9baWaayTX9flCTDJiiOVTqMq5bZ+KLs3hAwk+tkTUo47Ru6Jo/xLKQEwhT zYXO+ZDWre/jy5RV35OWpw+XXCKO7dY/KkzsnkV3FY1lhSQoPZnE8YKGPPoRs7P7ZOO1 H4Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1hgyMGgqm2l0K029MbAV7HB50NHopCA50vfzIyF3//M=; b=phM5+vFhqI/Du7lp/kKCJNxHsYp2seRLYWuVAeNmf7JiMFH0i9atGSalf78LpVtwLd wvLLYevVLflyRwovXhaLf7q90WzsBVjdfypjLQvRb93YXNKWR5NTDeiqat/qvLQJPz3c 7wyVh/NRF1LvPjMd9xNVX8GSZ4iobD6laKcFIdNWgzeL/Wv/OBrU4BsGXpaWkW5m/QcK U8rnWzkGjxsITc7z07B+wHfsJUFQmvCBU8WaKaEcCu6z9iygvXRXPwRVHocE77qvU9Zw JYbQwGmLdGYLlKxsxTc8df2khAr/VrucWlyV/tmm+GmxZTHK909DwM3gsGZZkP0bAL3j 7Qbg== X-Gm-Message-State: AOAM530WcameDcqYhnAEIWh/nmHZr9TxLuLcQUkccH1qChX65kb+T3aH rgMnMFIMvOMRIfNTlpYZXFMuYTf9wfHMCglj8Ac= X-Google-Smtp-Source: ABdhPJwvvtQk6R3zwXKzTDX5Ys3fUplA2RG10agfaeCFg5xA9zIXmJGVa0X27BvMbrhRnqbgtwKDQQsOy9PJ6NgZqgs= X-Received: by 2002:a05:6808:f8e:b0:2d4:1d66:3a22 with SMTP id o14-20020a0568080f8e00b002d41d663a22mr2774822oiw.120.1645107893906; Thu, 17 Feb 2022 06:24:53 -0800 (PST) MIME-Version: 1.0 References: <20220125143304.34628-1-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Thu, 17 Feb 2022 15:24:42 +0100 Message-ID: Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes To: Paul Moore Cc: SElinux list , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: BDB12180005 X-Rspam-User: Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=googlemail.com header.s=20210112 header.b=gQIB0sLt; spf=pass (imf16.hostedemail.com: domain of cgzones@googlemail.com designates 209.85.167.180 as permitted sender) smtp.mailfrom=cgzones@googlemail.com; dmarc=pass (policy=quarantine) header.from=googlemail.com X-Stat-Signature: g5rhm47sig4b9dwi13duib4cqg8r8pta X-HE-Tag: 1645107894-443037 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, 27 Jan 2022 at 00:01, Paul Moore wrote: > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche > wrote: > > > > Create a security context for the inodes created by memfd_secret(2) via > > the LSM hook inode_init_security_anon to allow a fine grained control. > > As secret memory areas can affect hibernation and have a global shared > > limit access control might be desirable. > > > > Signed-off-by: Christian G=C3=B6ttsche > > --- > > An alternative way of checking memfd_secret(2) is to create a new LSM > > hook and e.g. for SELinux check via a new process class permission. > > --- > > mm/secretmem.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > This seems reasonable to me, and I like the idea of labeling the anon > inode as opposed to creating a new set of LSM hooks. If we want to > apply access control policy to the memfd_secret() fds we are going to > need to attach some sort of LSM state to the inode, we might as well > use the mechanism we already have instead of inventing another one. Any further comments (on design or implementation)? Should I resend a non-rfc? One naming question: Should the anonymous inode class be named "[secretmem]", like "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"? > > diff --git a/mm/secretmem.c b/mm/secretmem.c > > index 22b310adb53d..b61cd2f661bc 100644 > > --- a/mm/secretmem.c > > +++ b/mm/secretmem.c > > @@ -164,11 +164,20 @@ static struct file *secretmem_file_create(unsigne= d long flags) > > { > > struct file *file =3D ERR_PTR(-ENOMEM); > > struct inode *inode; > > + const char *anon_name =3D "[secretmem]"; > > + const struct qstr qname =3D QSTR_INIT(anon_name, strlen(anon_na= me)); > > + int err; > > > > inode =3D alloc_anon_inode(secretmem_mnt->mnt_sb); > > if (IS_ERR(inode)) > > return ERR_CAST(inode); > > > > + err =3D security_inode_init_security_anon(inode, &qname, NULL); > > + if (err) { > > + file =3D ERR_PTR(err); > > + goto err_free_inode; > > + } > > + > > file =3D alloc_file_pseudo(inode, secretmem_mnt, "secretmem", > > O_RDWR, &secretmem_fops); > > if (IS_ERR(file)) > > -- > > 2.34.1 > > -- > paul-moore.com