Re: [PATCH 1/2] fs: Provide function that allocates a secure anonymous inode

Mike Rapoport <rppt@xxxxxxxxxx> · Thu, 19 Jun 2025 08:36:48 +0300

On Mon, Jun 16, 2025 at 06:30:09PM +0530, Shivank Garg wrote:
> 
> 
> On 6/6/2025 8:39 PM, Ira Weiny wrote:
> > Paul Moore wrote:
> >> On Thu, Jun 5, 2025 at 1:50 AM Mike Rapoport <rppt@xxxxxxxxxx> wrote:
> >>>
> >>> secretmem always had S_PRIVATE set because alloc_anon_inode() clears it
> >>> anyway and this patch does not change it.
> >>
> >> Yes, my apologies, I didn't look closely enough at the code.
> >>
> >>> I'm just thinking that it makes sense to actually allow LSM/SELinux
> >>> controls that S_PRIVATE bypasses for both secretmem and guest_memfd.
> >>
> >> It's been a while since we added the anon_inode hooks so I'd have to
> >> go dig through the old thread to understand the logic behind marking
> >> secretmem S_PRIVATE, especially when the
> >> anon_inode_make_secure_inode() function cleared it.  It's entirely
> >> possible it may have just been an oversight.

anon_inode_make_secure_inode() was introduced when more than 10 versions of
secretmem already were posted so it didn't jump at me to replace
alloc_anon_inode() with anon_inode_make_secure_inode().

> > I'm jumping in where I don't know what I'm talking about...
> > 
> > But my reading of the S_PRIVATE flag is that the memory can't be mapped by
> > user space.  So for guest_memfd() we need !S_PRIVATE because it is
> > intended to be mapped by user space.  So we want the secure checks.
> > 
> > I think secretmem is the same.

Agree.

> > Do I have that right?
> 
> 
> Hi Mike, Paul,
> 
> If I understand correctly,
> we need to clear the S_PRIVATE flag for all secure inodes. The S_PRIVATE flag was previously
> set for  secretmem (via alloc_anon_inode()), which caused security checks to be 
> bypassed - this was unintentional since the original anon_inode_make_secure_inode() 
> was already clearing it.
> 
> Both secretmem and guest_memfd create file descriptors
> (memfd_create/kvm_create_guest_memfd)
> so they should be subject to LSM/SELinux security policies rather than bypassing them with S_PRIVATE?
> 
> static struct inode *anon_inode_make_secure_inode(struct super_block *s,
> 		const char *name, const struct inode *context_inode)
> {
> ...
> 	/* Clear S_PRIVATE for all inodes*/
> 	inode->i_flags &= ~S_PRIVATE;
> ...
> }
> 
> Please let me know if this conclusion makes sense?

Yes, makes sense to me.

> Thanks,
> Shivank

-- 
Sincerely yours,
Mike.