Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp175539iob; Mon, 2 May 2022 16:19:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBXOmLRoBkRPc6C5NVLrNWWnVqc7/qbgA7+OVk0NZp8kPsFpx1McN0YbHvi8oQwe2y8f6U X-Received: by 2002:a17:90b:4b82:b0:1dc:673:1662 with SMTP id lr2-20020a17090b4b8200b001dc06731662mr1640242pjb.103.1651533560015; Mon, 02 May 2022 16:19:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651533560; cv=none; d=google.com; s=arc-20160816; b=0eyQ9kvypKUGkl7+YfeWn67NaoE6ovEWb9SJvxzkex0+QPKcM2u89lWFKkLVxyzIBA ch6ohLSrVEmlPKrEiIFGHEoA94W7zPcI3P1zKVolsukLpBgOaF4mk+TCuFrWOsNO3laE 8BOVcw5NETcRrHEazR/hSXe4/jfZ3rQ0bLRLz6CqVvHqW2T6FE+V8emdmSE8WHdpfb8m /d2+ipl/hILmCKenAcEbse0Em1XXZOsCX52wCaZpX6levXY3UUw0ehLF6Ksg6/xdMpcb 5KZO/rct6gkK5RGXwBxEu9Ti/54jbiY+78WCFstQwLBAtikYK5QaY/0NjnbhtKIrwZPQ Acgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=; b=0nfFovPJsF8pxccY+Zx8B6MDYqMoRGXfqyPKLsDJTM5VkXMHnu1dxwDWAqIOUwjwrj Wme8Rux1aX9nC2EvrZpKvQZogPzEBSMzxy/Ly1FgXSHx09+l57Jrtusm5FFpW5b/u8mS BkIP4VaVI2lTvG8dqD4eEdUPVcRxJbKSAUOHDyi80NFMbdrmo2qH681aKLv/fKlSAWew uNnALubw+ME9bbAEWCOJwYJHc+nmMmUCDl14Dso39WvsD3VGd2mQGGJE24RXtQJUIW9f jYTOMoiu3DUKhPPauj8GhcG8aYHfu7d+pgR5mY+II1xcYdCmAJMNV7TS34WpNsAtuKrF 0QxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=Y9Ge8Zh0; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id n11-20020a170902f60b00b0015d3a9ee940si15170179plg.149.2022.05.02.16.19.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 May 2022 16:19:20 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20210112 header.b=Y9Ge8Zh0; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7C5D63152B; Mon, 2 May 2022 16:18:58 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350972AbiEBNtZ (ORCPT + 99 others); Mon, 2 May 2022 09:49:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1385518AbiEBNtU (ORCPT ); Mon, 2 May 2022 09:49:20 -0400 Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0786512614; Mon, 2 May 2022 06:45:52 -0700 (PDT) Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-ed9ac77cbbso3710387fac.1; Mon, 02 May 2022 06:45:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=; b=Y9Ge8Zh0P8Nn7vrmdfyiKMNSXTRSp9YFHQZim+UHkCEFcfwdVdW7Vb8ezfueGEUcHa B1aAFddnxIPGLjcRzkP7XtGk2dlF8RTkPlKJaCYmt9O1naej9QSykekHptyii+fwZRQy l1EWiBVCqbJWRkZ4Klnvtx0ozhx62AmU09qkR9Ola2hClwQjEQZyfYh6q/uEpQuAyrm/ YDfjUjrwscX61c0ALQUvQcDFIU5370j4EfVKP7iQobmAodMzzuNMPCmW4S2LWhgAbo8X VwWzk9s3kNbfC3hUgXGX/2R2pel9rOhniwQEMnG5Tpm9jRGvRtVuWVtt1ofUS4hLNBNY P3Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KlkPJd9IPwI3xuM5T+5Eqx8x2n4AENEmfcA0g1h3kb8=; b=GlaqFoK98nXaEEYvyCg7kUV2gvAIhFDe7jvAcGk5OPws8WwO7CX7y7roSQPVnZVebg 80brvven4c0dIYkmGfxyCDAmYaEayqTQRgjJRVU+06XTVWojlpFudpuyNQiwAqqIKLMG nz0hSosO/BoWUL2TayosZULy7xhUG4rM3PjX7C9omb0ghmO5KsFMmwabF/pHkjP7uwee emPp6qXPpnRkyk9Io72nKjmhAhcmK1vxKdbKvjjTOVcCjzgPzD/m8mIIUbWM2gUrA0hL LS627xsLm+EnZyCz2hk4LxvI/7LA6UjE7jsntNZXV8DWnhMQ09KU+KNAFgZQYyNn9A2N 6c1w== X-Gm-Message-State: AOAM531tY60jo5iauU6oCT2LzUvclGVdGN4j9DcdeIMxf9NkYrvNj747 F+dw6UGdetW9/GvaGgmNo1t/1naRFi4rZ2G5mZs= X-Received: by 2002:a05:6870:5b8a:b0:e6:589e:201d with SMTP id em10-20020a0568705b8a00b000e6589e201dmr6394064oab.71.1651499145960; Mon, 02 May 2022 06:45:45 -0700 (PDT) MIME-Version: 1.0 References: <20220125143304.34628-1-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Mon, 2 May 2022 15:45:35 +0200 Message-ID: Subject: Re: [RFC PATCH] mm: create security context for memfd_secret inodes To: Paul Moore Cc: SElinux list , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , Andrew Morton , linux-mm@kvack.org, Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 17 Feb 2022 at 23:32, Paul Moore wrote: > > On Thu, Feb 17, 2022 at 9:24 AM Christian G=C3=B6ttsche > wrote: > > On Thu, 27 Jan 2022 at 00:01, Paul Moore wrote: > > > On Tue, Jan 25, 2022 at 9:33 AM Christian G=C3=B6ttsche > > > wrote: > > > > > > > > Create a security context for the inodes created by memfd_secret(2)= via > > > > the LSM hook inode_init_security_anon to allow a fine grained contr= ol. > > > > As secret memory areas can affect hibernation and have a global sha= red > > > > limit access control might be desirable. > > > > > > > > Signed-off-by: Christian G=C3=B6ttsche > > > > --- > > > > An alternative way of checking memfd_secret(2) is to create a new L= SM > > > > hook and e.g. for SELinux check via a new process class permission. > > > > --- > > > > mm/secretmem.c | 9 +++++++++ > > > > 1 file changed, 9 insertions(+) > > > > > > This seems reasonable to me, and I like the idea of labeling the anon > > > inode as opposed to creating a new set of LSM hooks. If we want to > > > apply access control policy to the memfd_secret() fds we are going to > > > need to attach some sort of LSM state to the inode, we might as well > > > use the mechanism we already have instead of inventing another one. > > > > Any further comments (on design or implementation)? > > > > Should I resend a non-rfc? > > I personally would really like to see a selinux-testsuite for this so > that we can verify it works not just now but in the future too. I > think having a test would also help demonstrate the usefulness of the > additional LSM controls. > Any comments (especially from the mm people)? Draft SELinux testsuite patch: https://github.com/SELinuxProject/selinux-testsuite/pull/80 > > One naming question: > > Should the anonymous inode class be named "[secretmem]", like > > "[userfaultfd]", or "[secret_mem]" similar to "[io_uring]"? > > The pr_fmt() string in mm/secretmem.c uses "secretmem" so I would > suggest sticking with "[secretmem]", although that is question best > answered by the secretmem maintainer. > > -- > paul-moore.com