[PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
Vlastimil Babka
vbabka at suse.cz
Wed Jun 25 09:18:37 UTC 2025
On 6/25/25 11:05, Christian Brauner wrote:
> On Tue, Jun 24, 2025 at 11:02:16AM +0200, Christian Brauner wrote:
> I don't understand that argument. I don't care if out-of-tree users
> abuse some symbol because:
>
> * If they ever show up with a complaint we'll tell them to go away.
> * If they want to be merged upstream, we'll tell them to either change
> the code in question to not rely on the offending symbol or we decide
> that it's ok for them to use it and allow-list them.
>
> I do however very much care about in-tree consumers even for non-GPLd
> symbols. I want anyone who tries to use a symbol that we decided
> requires substantial arguments to be used to come to us and justify it.
> So EXPORT_*_FOR_MODULES() would certainly help with that.
>
> The other things is that using EXPORT_SYMBOL() or even
> EXPORT_SYMBOL_GPL() sends the wrong message to other module-like
> wanna-be consumers of these functions. I'm specifically thinking about
> bpf. They more than once argued that anything exposed to modules can
> also be exposed as a bpf kfunc as the stability guarantees are
> comparable.
>
> And it is not an insane argument. Being able to use
> EXPOR_SYMBOL_FOR_MODULES() would also allow to communicate "Hey, this
> very much just exists for the purpose of this one-off consumer that
> really can't do without it or without some other ugly hack.".
>
> Because this is where the pain for us is: If you do large-scale
> refactorings (/me glares at Al, Christoph, and in the mirror) the worst
> case is finding out that some special-purpose helper has grown N new
> users with a bunch of them using it completely wrong and now having to
> massage core code to not break something that's technically inherently
> broken.
>
> Out-of-tree consumers have zero relevance for all of this. For all I
> care they don't exist. It's about the maintainers ability to chop off
> the Kraken's tentacles.
Then I think you can just use EXPORT_SYMBOL_GPL_FOR_MODULES() as it is
today. It's intended for a particular in-tree module, which is by definition
going to be GPL. I doubt anyone will come complaining that you've cut off
their ability to fake the name of the in-tree module while having non-GPL
license. So I don't really see the danger of causing holy license wars
there. The _FOR_MODULES() part is restricting enough even without _GPL_.
But if we can indeed enforce in-tree-ness and drop _GPL_ from the name, it
would be cleaner IMHO.
More information about the Linux-security-module-archive
mailing list