On 6/19/2025 2:43 PM, Vlastimil Babka wrote: > On 6/19/25 09:31, Shivank Garg wrote: >> Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create >> anonymous inodes with proper security context. This replaces the current >> pattern of calling alloc_anon_inode() followed by >> inode_init_security_anon() for creating security context manually. >> >> This change also fixes a security regression in secretmem where the >> S_PRIVATE flag was not cleared after alloc_anon_inode(), causing >> LSM/SELinux checks to be bypassed for secretmem file descriptors. >> >> As guest_memfd currently resides in the KVM module, we need to export this > > Could we use the new EXPORT_SYMBOL_GPL_FOR_MODULES() thingy to make this > explicit for KVM? > Thanks for the suggestion. I wasn't aware of this earlier. I think it makes sense to use it now. So, the code would look like this: +EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm"); which builds fine for me. I hope this is the correct usage. Thanks, Shivank
