From: jeffxu@chromium.org
To: skhan@linuxfoundation.org, keescook@chromium.org
Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com,
dverkamp@chromium.org, hughd@google.com, jeffxu@google.com,
jorgelo@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
jannh@google.com, linux-hardening@vger.kernel.org,
kernel test robot <lkp@intel.com>
Subject: [PATCH v6 6/6] mm/memfd: security hook for memfd_create
Date: Wed, 7 Dec 2022 15:49:39 +0000 [thread overview]
Message-ID: <20221207154939.2532830-7-jeffxu@google.com> (raw)
In-Reply-To: <20221207154939.2532830-1-jeffxu@google.com>
From: Jeff Xu <jeffxu@google.com>
The new security_memfd_create allows lsm to check flags of
memfd_create.
The security by default system (such as chromeos) can use this
to implement system wide lsm to allow only non-executable memfd
being created.
Signed-off-by: Jeff Xu <jeffxu@google.com>
Reported-by: kernel test robot <lkp@intel.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 4 ++++
include/linux/security.h | 6 ++++++
mm/memfd.c | 5 +++++
security/security.c | 13 +++++++++++++
5 files changed, 29 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index ec119da1d89b..fd40840927c8 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -164,6 +164,7 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *file)
LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
unsigned long arg)
+LSM_HOOK(int, 0, memfd_create, char *name, unsigned int flags)
LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4ec80b96c22e..5a18a6552278 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -543,6 +543,10 @@
* simple integer value. When @arg represents a user space pointer, it
* should never be used by the security module.
* Return 0 if permission is granted.
+ * @memfd_create:
+ * @name is the name of memfd file.
+ * @flags is the flags used in memfd_create.
+ * Return 0 if permission is granted.
* @mmap_addr :
* Check permissions for a mmap operation at @addr.
* @addr contains virtual address that will be used for the operation.
diff --git a/include/linux/security.h b/include/linux/security.h
index ca1b7109c0db..5b87a780822a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -384,6 +384,7 @@ int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+int security_memfd_create(char *name, unsigned int flags);
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags);
int security_mmap_addr(unsigned long addr);
@@ -963,6 +964,11 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
return 0;
}
+static inline int security_memfd_create(char *name, unsigned int flags)
+{
+ return 0;
+}
+
static inline int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags)
{
diff --git a/mm/memfd.c b/mm/memfd.c
index 92f0a5765f7c..f04ed5f0474f 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -356,6 +356,11 @@ SYSCALL_DEFINE2(memfd_create,
goto err_name;
}
+ /* security hook for memfd_create */
+ error = security_memfd_create(name, flags);
+ if (error)
+ return error;
+
if (flags & MFD_HUGETLB) {
file = hugetlb_file_setup(name, 0, VM_NORESERVE,
HUGETLB_ANONHUGE_INODE,
diff --git a/security/security.c b/security/security.c
index 79d82cb6e469..5c018e080923 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1010,6 +1010,19 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
}
EXPORT_SYMBOL(security_sb_clone_mnt_opts);
+int security_add_mnt_opt(const char *option, const char *val, int len,
+ void **mnt_opts)
+{
+ return call_int_hook(sb_add_mnt_opt, -EINVAL,
+ option, val, len, mnt_opts);
+}
+EXPORT_SYMBOL(security_add_mnt_opt);
+
+int security_memfd_create(char *name, unsigned int flags)
+{
+ return call_int_hook(memfd_create, 0, name, flags);
+}
+
int security_move_mount(const struct path *from_path, const struct path *to_path)
{
return call_int_hook(move_mount, 0, from_path, to_path);
--
2.39.0.rc0.267.gcb52ba06e7-goog
next prev parent reply other threads:[~2022-12-07 15:50 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 15:49 [PATCH v6 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC jeffxu
2022-12-07 15:49 ` [PATCH v6 1/6] mm/memfd: add F_SEAL_EXEC jeffxu
2022-12-08 16:16 ` Kees Cook
2022-12-07 15:49 ` [PATCH v6 2/6] selftests/memfd: add tests for F_SEAL_EXEC jeffxu
2022-12-08 16:21 ` Kees Cook
2022-12-07 15:49 ` [PATCH v6 3/6] mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC jeffxu
2022-12-08 16:27 ` Kees Cook
2022-12-08 22:55 ` Jeff Xu
2022-12-16 15:46 ` Peter Xu
2022-12-16 17:15 ` Jeff Xu
2022-12-16 17:42 ` Andrew Morton
2022-12-16 18:11 ` Jeff Xu
2022-12-16 20:35 ` Kees Cook
2022-12-16 21:46 ` Jeff Xu
2022-12-16 22:06 ` Andrew Morton
2022-12-16 23:40 ` Jeff Xu
2022-12-20 16:55 ` Shuah Khan
2022-12-23 18:06 ` Jeff Xu
2022-12-07 15:49 ` [PATCH v6 4/6] mm/memfd: Add write seals when apply SEAL_EXEC to executable memfd jeffxu
2022-12-08 16:27 ` Kees Cook
2022-12-07 15:49 ` [PATCH v6 5/6] selftests/memfd: add tests for MFD_NOEXEC_SEAL MFD_EXEC jeffxu
2022-12-08 16:30 ` Kees Cook
2022-12-07 15:49 ` jeffxu [this message]
2022-12-08 16:32 ` [PATCH v6 6/6] mm/memfd: security hook for memfd_create Kees Cook
2022-12-08 16:46 ` Kees Cook
2022-12-08 16:13 ` [PATCH v6 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC Kees Cook
2022-12-08 18:33 ` Jeff Xu
2022-12-08 20:55 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221207154939.2532830-7-jeffxu@google.com \
--to=jeffxu@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=dverkamp@chromium.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.