[PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass

Wed Jun 25 08:02:23 UTC 2025

On 6/23/25 16:28, Peter Zijlstra wrote:
> On Mon, Jun 23, 2025 at 04:21:15PM +0200, Vlastimil Babka wrote:
>> On 6/23/25 16:01, Christoph Hellwig wrote:
>> > On Mon, Jun 23, 2025 at 07:00:39AM -0700, Christoph Hellwig wrote:
>> >> On Mon, Jun 23, 2025 at 12:16:27PM +0200, Christian Brauner wrote:
>> >> > I'm more than happy to switch a bunch of our exports so that we only
>> >> > allow them for specific modules. But for that we also need
>> >> > EXPOR_SYMBOL_FOR_MODULES() so we can switch our non-gpl versions.
>> >> 
>> >> Huh?  Any export for a specific in-tree module (or set thereof) is
>> >> by definition internals and an _GPL export if perfectly fine and
>> >> expected.
>> 
>> Peterz tells me EXPORT_SYMBOL_GPL_FOR_MODULES() is not limited to in-tree
>> modules, so external module with GPL and matching name can import.
>> 
>> But if we're targetting in-tree stuff like kvm, we don't need to provide a
>> non-GPL variant I think?
> 
> So the purpose was to limit specific symbols to known in-tree module
> users (hence GPL only).
> 
> Eg. KVM; x86 exports a fair amount of low level stuff just because KVM.
> Nobody else should be touching those symbols.
> 
> If you have a pile of symbols for !GPL / out-of-tree consumers, it
> doesn't really make sense to limit the export to a named set of modules,
> does it?
> 
> So yes, nothing limits things to in-tree modules per-se. The
> infrastructure only really cares about module names (and implicitly
> trusts the OS to not overwrite existing kernel modules etc.). So you
> could add an out-of-tree module name to the list (or have an out-of-free
> module have a name that matches a glob; "kvm-vmware" would match "kvm-*"
> for example).
> 
> But that is very much beyond the intention of things.

So AFAIK we have a way to recognize out of tree modules when loading, as
there's a taint just for that. Then the same mechanism could perhaps just
refuse loading them if they use any _FOR_MODULES() export, regardless of
name? Then the _GPL_ part would become implicit and redundant and we could
drop it as Christoph suggested?