From 8cd7057f990179334d0344368bc0a12c95b48be6 Mon Sep 17 00:00:00 2001 From: Shivank Garg Date: Thu, 24 Jul 2025 17:26:51 +0800 Subject: [PATCH] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass mainline inclusion from mainline-v6.16-rc5 commit cbe4134ea4bc493239786220bd69cb8a13493190 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICNXJB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbe4134ea4bc493239786220bd69cb8a13493190 -------------------------------- fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon() for creating security context manually. This change also fixes a security regression in secretmem where the S_PRIVATE flag was not cleared after alloc_anon_inode(), causing LSM/SELinux checks to be bypassed for secretmem file descriptors. As guest_memfd currently resides in the KVM module, we need to export this symbol for use outside the core kernel. In the future, guest_memfd might be moved to core-mm, at which point the symbols no longer would have to be exported. When/if that happens is still unclear. Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes") Suggested-by: David Hildenbrand Suggested-by: Mike Rapoport Signed-off-by: Shivank Garg Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com Acked-by: "Mike Rapoport (Microsoft)" Signed-off-by: Christian Brauner Conflicts: fs/anon_inodes.c include/linux/fs.h mm/secretmem.c [ The pre-refactoring commit e7e832ce6fa76 ("fs: add LSM-supporting anon-inode interface") and the supporting anon_inode_operations were not merged, resulting in significant conflicts. This patch primarily addresses the issue of cleaning up the private field to prevent permission check bypass. In this backport, the issue is directly fixed in secretmem_file_create. ] Reviewed-by: Nanyong Sun Signed-off-by: Zhang Qilong --- mm/secretmem.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/secretmem.c b/mm/secretmem.c index 399552814fd0..88fbd3598207 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -202,6 +202,11 @@ static struct file *secretmem_file_create(unsigned long flags) if (IS_ERR(inode)) return ERR_CAST(inode); + /* + * Not clear S_PRIVATE may cause LSM/SELinux checks to be + * bypassed for secretmem file descriptors. + */ + inode->i_flags &= ~S_PRIVATE; err = security_inode_init_security_anon(inode, &qname, NULL); if (err) { file = ERR_PTR(err); -- Gitee