[RFC PATCH] mm: create security context for memfd_secret inodes
Paul Moore
paul at paul-moore.com
Wed Jan 26 23:01:30 UTC 2022
On Tue, Jan 25, 2022 at 9:33 AM Christian Göttsche
<cgzones at googlemail.com> wrote:
>
> Create a security context for the inodes created by memfd_secret(2) via
> the LSM hook inode_init_security_anon to allow a fine grained control.
> As secret memory areas can affect hibernation and have a global shared
> limit access control might be desirable.
>
> Signed-off-by: Christian Göttsche <cgzones at googlemail.com>
> ---
> An alternative way of checking memfd_secret(2) is to create a new LSM
> hook and e.g. for SELinux check via a new process class permission.
> ---
> mm/secretmem.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
This seems reasonable to me, and I like the idea of labeling the anon
inode as opposed to creating a new set of LSM hooks. If we want to
apply access control policy to the memfd_secret() fds we are going to
need to attach some sort of LSM state to the inode, we might as well
use the mechanism we already have instead of inventing another one.
> diff --git a/mm/secretmem.c b/mm/secretmem.c
> index 22b310adb53d..b61cd2f661bc 100644
> --- a/mm/secretmem.c
> +++ b/mm/secretmem.c
> @@ -164,11 +164,20 @@ static struct file *secretmem_file_create(unsigned long flags)
> {
> struct file *file = ERR_PTR(-ENOMEM);
> struct inode *inode;
> + const char *anon_name = "[secretmem]";
> + const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name));
> + int err;
>
> inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
> if (IS_ERR(inode))
> return ERR_CAST(inode);
>
> + err = security_inode_init_security_anon(inode, &qname, NULL);
> + if (err) {
> + file = ERR_PTR(err);
> + goto err_free_inode;
> + }
> +
> file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
> O_RDWR, &secretmem_fops);
> if (IS_ERR(file))
> --
> 2.34.1
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list