Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp800074pxb; Thu, 17 Feb 2022 15:15:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJyfdSenUE0se++I3ZbT6GFYHreFaoBSSsIS+zSdulnWW6BOqu8Tn40ehb4/DBeuEgudK7Rj X-Received: by 2002:a63:e249:0:b0:36c:4f1f:95e0 with SMTP id y9-20020a63e249000000b0036c4f1f95e0mr4171064pgj.381.1645139703605; Thu, 17 Feb 2022 15:15:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645139703; cv=none; d=google.com; s=arc-20160816; b=KuGsDYShRxKhPRVUMdj7V0xxBG/wYOJBYhBzJRnYATUYnZ7nu2svSMWg0oQWX2VVvR +NcSCahX2rDnM4LGQ8+7I6mqJlYHed54Rh+tRDwPKWGdRBiE1nqcist6M393OMR6B9fz Jh4lk6/ziXuDqpP/8sP7pIzo4wcl94BM4BtCG4c57M0Ss8Mn8x0PFdTop/XIzOFMJUKK 2hC8bpSAr1D0OEDpq/JcOdQNKByqr4Cib0qY7vZkyb1Jj9CekaVZuMZ8VtygS9PI+PeZ c4wXI/DBxPoyiefVrQJ8kE5pjeBMB2sS94VwFxKpnWw+f+M2XGVf5VYOoUEZn3WY0aVe d4EA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=1hgyMGgqm2l0K029MbAV7HB50NHopCA50vfzIyF3//M=; b=QdKFGEadQbtIP1TlLzE5ZLnJEC2Vb5yLsvMSULK3W/jg+lorIcbkFnTJGPV9WM3ShQ 5tL/BoWFD3MU/o145XW241ydeU8ycpXDWTYwn7N6ki1iaUNLOVTtZS3lo/0xGtOGlLsc kV3QEw6tJmYlx1Hi7R8buk2Z+2V0oAaNiCROoERybM0HFqwUgPzQAZbaJOWhYXNiZSeb XXUCqviEsfwtpSP/VBJOwnHO2NxXNfoNKXI3IP/VLFK2NA4WU08ezRVeyplD9LUiuqxj Nn3wJn0rOdqKqTnOzmtb6fsOw4CE6yCWvz6QKtvdbrGJQyWJxP24RdNVKdM52Gwlb9xB wgww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=gQIB0sLt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f130si9856200pgc.684.2022.02.17.15.15.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 15:15:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=gQIB0sLt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4EBAB2B913E; Thu, 17 Feb 2022 15:05:47 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238471AbiBQOZK (ORCPT + 99 others); Thu, 17 Feb 2022 09:25:10 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231938AbiBQOZJ (ORCPT ); Thu, 17 Feb 2022 09:25:09 -0500 Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E75C82B1669; Thu, 17 Feb 2022 06:24:54 -0800 (PST) Received: by mail-oi1-x22d.google.com with SMTP id s8so3533581oij.13; Thu, 17 Feb 2022 06:24:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1hgyMGgqm2l0K029MbAV7HB50NHopCA50vfzIyF3//M=; b=gQIB0sLtPnj5zwwT6gSkOleVRcwWPRVCa1YooIVwsnJQdqp3MZFTwxOgBj4PIVqMR9 HqLVXmmGuTj92Uye5WSlg/rwABYU9/nGb62XzyB+OdvtXNA1wlnjp1bq8XeCgYrNCmxN pqERattXxPcSY+V14OZunWDZjVg/p6wlKR1VgBQudZ0phigkvc1yr2w4jWVqLIxKA2rx ivP0IcPyTN9baWaayTX9flCTDJiiOVTqMq5bZ+KLs3hAwk+tkTUo47Ru6Jo/xLKQEwhT zYXO+ZDWre/jy5RV35OWpw+XXCKO7dY/KkzsnkV3FY1lhSQoPZnE8YKGPPoRs7P7ZOO1 H4Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1hgyMGgqm2l0K029MbAV7HB50NHopCA50vfzIyF3//M=; b=4452g39XNQgyHWxzVfIuTUzhdESICkbYZqsD70p4CzDXaE4fAsrn6/2Yoh5u6DMrY1 7WzFbXx7dGHpdqbYNaUapX03XMVJ5BHqBS3ngIbsfGcJW1+DVeFdPhf28wStRXJuql0z 0JARR2ZNInf15wyPnh+TksHDTDDw6aqYrPSATevgQzhwoQF9VvAWIwHwxic7afiztKth GvowFRsOE4qPRTIwmzk2IE+QI+H5/8sxgHk6lP5R0exrp7P1Fzugtx0eqEAyAgo9kjwb Zxw5/z0au11Wg5kY94VSB9E4/bv6seRRUaJU1Oi+lvotF7Lc+7X7O5FuQ97Mp8N3LEA6 4Jcg== X-Gm-Message-State: AOAM533qi1F+FDT/cVVO56LVeOOStjAHq/qRQc7GOBLD17cuZsKVaWSd qoOp1RFIKBAeHixP4Z4EG+2P2d/6aBPuGM0Ko5M= X-Received: by 2002:a05:6808:f8e:b0:2d4:1d66:3a22 with SMTP id o14-20020a0568080f8e00b002d41d663a22mr2774822oiw.120.1645107893906; Thu, 17 Feb 2022 06:24:53 -0800 (PST) MIME-Version: 1.0 References: <20220125143304.34628-1-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Thu, 17 Feb 2022 15:24:42 +0100 Message-ID: Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes To: Paul Moore Cc: SElinux list , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Jan 2022 at 00:01, Paul Moore wrote: > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche > wrote: > > > > Create a security context for the inodes created by memfd_secret(2) via > > the LSM hook inode_init_security_anon to allow a fine grained control. > > As secret memory areas can affect hibernation and have a global shared > > limit access control might be desirable. > > > > Signed-off-by: Christian G=C3=B6ttsche > > --- > > An alternative way of checking memfd_secret(2) is to create a new LSM > > hook and e.g. for SELinux check via a new process class permission. > > --- > > mm/secretmem.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > This seems reasonable to me, and I like the idea of labeling the anon > inode as opposed to creating a new set of LSM hooks. If we want to > apply access control policy to the memfd_secret() fds we are going to > need to attach some sort of LSM state to the inode, we might as well > use the mechanism we already have instead of inventing another one. Any further comments (on design or implementation)? Should I resend a non-rfc? One naming question: Should the anonymous inode class be named "[secretmem]", like "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"? > > diff --git a/mm/secretmem.c b/mm/secretmem.c > > index 22b310adb53d..b61cd2f661bc 100644 > > --- a/mm/secretmem.c > > +++ b/mm/secretmem.c > > @@ -164,11 +164,20 @@ static struct file *secretmem_file_create(unsigne= d long flags) > > { > > struct file *file =3D ERR_PTR(-ENOMEM); > > struct inode *inode; > > + const char *anon_name =3D "[secretmem]"; > > + const struct qstr qname =3D QSTR_INIT(anon_name, strlen(anon_na= me)); > > + int err; > > > > inode =3D alloc_anon_inode(secretmem_mnt->mnt_sb); > > if (IS_ERR(inode)) > > return ERR_CAST(inode); > > > > + err =3D security_inode_init_security_anon(inode, &qname, NULL); > > + if (err) { > > + file =3D ERR_PTR(err); > > + goto err_free_inode; > > + } > > + > > file =3D alloc_file_pseudo(inode, secretmem_mnt, "secretmem", > > O_RDWR, &secretmem_fops); > > if (IS_ERR(file)) > > -- > > 2.34.1 > > -- > paul-moore.com