| Message ID | 20221209160453.3246150-7-jeffxu@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp861544wrr;
Fri, 9 Dec 2022 08:09:26 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6TQUln9YI4eCeVuJL8c5U2nfcPZn480V1T2LWPP7bMCV+NCQloWF68OGlzswXM4f1MzvjL
X-Received: by 2002:a17:903:1341:b0:189:e4e:792c with SMTP id
jl1-20020a170903134100b001890e4e792cmr5826550plb.64.1670602166009;
Fri, 09 Dec 2022 08:09:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670602165; cv=none;
d=google.com; s=arc-20160816;
b=cOiep+Yu4y5N1nzP48TbRa8WEzEgF6N0DZx6N3T9VPg5ovWdAYFaY/lZaC6QRZfvuy
gh/DJ5i33MmaT809FLsBBcjVIglLX636Uk8fLaHFJvMMC1q2fMOINKCyk5mcrfGoB/Ee
wUnu7e0z65YZhxkUlr6aBIs4GZNYTOzHC2JdIzjVyDMLCQxN10TqGqp0YGf/xsmopzor
x/jJ1y9V+JX7nt1SL4gOAy8I2cYFe7H7YpAc+ubydAKsXPlkIpfMmFxSIcu8qsZ0zZ9R
oDNZxpkp4nPng2poS9/KUmpx9FrJwKFj42CXtx067idPul1ZhRW4xkwbZSh57tL2qQjJ
TRvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=dO2vEZu0Db7wP8hwByIkT/4WBK5RsSRu/0g8CrsVk0Q=;
b=j8en01ZeJ10+XP92liu5Qd2QKrfzf/IeFVfLLiAVLcA44luzNxYG02XVec+LHfnlZ2
CiQDySsNjSGnLeSG6NqI8OxTLCWJqpu2nz2Nj/8fX5M/AebKkh7+ZM1MqXcTuD9rnVgk
4mivp66U5avKyH8R9zXBk1tAnQwn02FSadryXhXLdXMJeajUKyvmljLvHuc3x7lfA4NE
javfzkMLaMnJdeSxnlO44uOd5124LjFVebt5o9+d/1+ECIwzUP4fRBvXMnJzhfqcr2hZ
5n7rQ0cLqxv2UTFjBfvS6ncUkwX1fITuWtZk6/c92wHchyKnopBVilialgzp9nTNJtzi
GVsg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=Nz9hhcL5;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
u4-20020a170902e5c400b001894d872b14si1836359plf.66.2022.12.09.08.09.12;
Fri, 09 Dec 2022 08:09:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=Nz9hhcL5;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230100AbiLIQFq (ORCPT <rfc822;sophiezhao968@gmail.com>
+ 99 others); Fri, 9 Dec 2022 11:05:46 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50308 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230161AbiLIQFY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 9 Dec 2022 11:05:24 -0500
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com
[IPv6:2607:f8b0:4864:20::52e])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A59359FDD
for <linux-kernel@vger.kernel.org>;
Fri, 9 Dec 2022 08:05:06 -0800 (PST)
Received: by mail-pg1-x52e.google.com with SMTP id s196so3827191pgs.3
for <linux-kernel@vger.kernel.org>;
Fri, 09 Dec 2022 08:05:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=dO2vEZu0Db7wP8hwByIkT/4WBK5RsSRu/0g8CrsVk0Q=;
b=Nz9hhcL5VUT1DNeWW7Mvl2m+8tMK4KUW9ZM63sJBU7BZC5BXcP0QrGhhfixxQYFJr6
jaW0mxnuLY9YKm9/eIJoGL3j7a2Nnz/LO5wqZBulnXeLBCJR0YvayQPJuPVgnkWRqUzs
VIPCWg63G260HdzCt34cupUwQj6+eayz1j76w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=dO2vEZu0Db7wP8hwByIkT/4WBK5RsSRu/0g8CrsVk0Q=;
b=o/YGGuR0Rzoid6Z6/N+Sy6HFPP/LsWmjH3NFFSJGjJfD5hPziGtx08BYrSUZcAr8mk
fLRd7gcPTdE5D+iN1/kgmVvS2ta96XIVm82mrqrrnhPbj9TMv4Tnkues7X5CrlGaY8wq
hv2TITF2PVfTDm9CHV+JRRgS+UZmk3G5a9Lzx9igihIVY6rLvSiUb2fDX81rCuT3YWSp
otcoa05Znli1QOGws/XNnnwBAUgLrYZJnqJ2cWvJXp0iTam39BrP5a6+oO2XY0qxH83Z
Xa8ClSpyIMgdIHb3K4836RpwnGlIpWdObKwlbXiAnJAyOIGZTL5HF5+Vv6um/mR3pqM3
vgnQ==
X-Gm-Message-State: ANoB5pl4/ydI/e9g8Yi0lEVK5xdqJEj36MJEmcZx/txK8r3bT5UIqaGu
fxLfh1xsQ71rfcpKXuviYSkncA==
X-Received: by 2002:aa7:858a:0:b0:575:de28:b1f4 with SMTP id
w10-20020aa7858a000000b00575de28b1f4mr5165976pfn.16.1670601905655;
Fri, 09 Dec 2022 08:05:05 -0800 (PST)
Received: from jeffxud.c.googlers.com.com
(30.202.168.34.bc.googleusercontent.com. [34.168.202.30])
by smtp.gmail.com with ESMTPSA id
a15-20020aa795af000000b00576670cc170sm1460504pfk.93.2022.12.09.08.05.04
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 09 Dec 2022 08:05:05 -0800 (PST)
From: jeffxu@chromium.org
To: skhan@linuxfoundation.org, keescook@chromium.org
Cc: akpm@linux-foundation.org, dmitry.torokhov@gmail.com,
dverkamp@chromium.org, hughd@google.com, jeffxu@google.com,
jorgelo@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
jannh@google.com, linux-hardening@vger.kernel.org,
linux-security-module@vger.kernel.org,
kernel test robot <lkp@intel.com>
Subject: [PATCH v7 6/6] mm/memfd: security hook for memfd_create
Date: Fri, 9 Dec 2022 16:04:53 +0000
Message-Id: <20221209160453.3246150-7-jeffxu@google.com>
X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog
In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com>
References: <20221209160453.3246150-1-jeffxu@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1751753336692368982?=
X-GMAIL-MSGID: =?utf-8?q?1751753336692368982?=
|
| Series |
mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
|
|
Commit Message
Jeff Xu
Dec. 9, 2022, 4:04 p.m. UTC
From: Jeff Xu <jeffxu@google.com> The new security_memfd_create allows lsm to check flags of memfd_create. The security by default system (such as chromeos) can use this to implement system wide lsm to allow only non-executable memfd being created. Signed-off-by: Jeff Xu <jeffxu@google.com> Reported-by: kernel test robot <lkp@intel.com> --- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 ++++ include/linux/security.h | 6 ++++++ mm/memfd.c | 5 +++++ security/security.c | 5 +++++ 5 files changed, 21 insertions(+)
Comments
On 12/9/2022 8:04 AM, jeffxu@chromium.org wrote: > From: Jeff Xu <jeffxu@google.com> > > The new security_memfd_create allows lsm to check flags of > memfd_create. > > The security by default system (such as chromeos) can use this > to implement system wide lsm to allow only non-executable memfd > being created. > > Signed-off-by: Jeff Xu <jeffxu@google.com> > Reported-by: kernel test robot <lkp@intel.com> > --- > include/linux/lsm_hook_defs.h | 1 + > include/linux/lsm_hooks.h | 4 ++++ > include/linux/security.h | 6 ++++++ > mm/memfd.c | 5 +++++ > security/security.c | 5 +++++ > 5 files changed, 21 insertions(+) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index ec119da1d89b..fd40840927c8 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -164,6 +164,7 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *file) > LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) > LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, > unsigned long arg) > +LSM_HOOK(int, 0, memfd_create, char *name, unsigned int flags) > LSM_HOOK(int, 0, mmap_addr, unsigned long addr) > LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, > unsigned long prot, unsigned long flags) > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 4ec80b96c22e..5a18a6552278 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -543,6 +543,10 @@ > * simple integer value. When @arg represents a user space pointer, it > * should never be used by the security module. > * Return 0 if permission is granted. > + * @memfd_create: > + * @name is the name of memfd file. > + * @flags is the flags used in memfd_create. > + * Return 0 if permission is granted. > * @mmap_addr : > * Check permissions for a mmap operation at @addr. > * @addr contains virtual address that will be used for the operation. > diff --git a/include/linux/security.h b/include/linux/security.h > index ca1b7109c0db..5b87a780822a 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -384,6 +384,7 @@ int security_file_permission(struct file *file, int mask); > int security_file_alloc(struct file *file); > void security_file_free(struct file *file); > int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); > +int security_memfd_create(char *name, unsigned int flags); > int security_mmap_file(struct file *file, unsigned long prot, > unsigned long flags); > int security_mmap_addr(unsigned long addr); > @@ -963,6 +964,11 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd, > return 0; > } > > +static inline int security_memfd_create(char *name, unsigned int flags) > +{ > + return 0; > +} > + Add a proper kernel doc comment for this function. > static inline int security_mmap_file(struct file *file, unsigned long prot, > unsigned long flags) > { > diff --git a/mm/memfd.c b/mm/memfd.c > index 92f0a5765f7c..f04ed5f0474f 100644 > --- a/mm/memfd.c > +++ b/mm/memfd.c > @@ -356,6 +356,11 @@ SYSCALL_DEFINE2(memfd_create, > goto err_name; > } > > + /* security hook for memfd_create */ > + error = security_memfd_create(name, flags); > + if (error) > + return error; > + > if (flags & MFD_HUGETLB) { > file = hugetlb_file_setup(name, 0, VM_NORESERVE, > HUGETLB_ANONHUGE_INODE, > diff --git a/security/security.c b/security/security.c > index 79d82cb6e469..57788cf94075 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1010,6 +1010,11 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb, > } > EXPORT_SYMBOL(security_sb_clone_mnt_opts); > > +int security_memfd_create(char *name, unsigned int flags) > +{ > + return call_int_hook(memfd_create, 0, name, flags); > +} > + > int security_move_mount(const struct path *from_path, const struct path *to_path) > { > return call_int_hook(move_mount, 0, from_path, to_path);
On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote: > > From: Jeff Xu <jeffxu@google.com> > > The new security_memfd_create allows lsm to check flags of > memfd_create. > > The security by default system (such as chromeos) can use this > to implement system wide lsm to allow only non-executable memfd > being created. > > Signed-off-by: Jeff Xu <jeffxu@google.com> > Reported-by: kernel test robot <lkp@intel.com> > --- > include/linux/lsm_hook_defs.h | 1 + > include/linux/lsm_hooks.h | 4 ++++ > include/linux/security.h | 6 ++++++ > mm/memfd.c | 5 +++++ > security/security.c | 5 +++++ > 5 files changed, 21 insertions(+) We typically require at least one in-tree LSM implementation to accompany a new LSM hook. Beyond simply providing proof that the hook has value, it helps provide a functional example both for reviewers as well as future LSM implementations. Also, while the BPF LSM is definitely "in-tree", its nature is such that the actual implementation lives out-of-tree; something like SELinux, AppArmor, Smack, etc. are much more desirable from an in-tree example perspective.
On Fri, Dec 9, 2022 at 10:29 AM Paul Moore <paul@paul-moore.com> wrote: > > On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote: > > > > From: Jeff Xu <jeffxu@google.com> > > > > The new security_memfd_create allows lsm to check flags of > > memfd_create. > > > > The security by default system (such as chromeos) can use this > > to implement system wide lsm to allow only non-executable memfd > > being created. > > > > Signed-off-by: Jeff Xu <jeffxu@google.com> > > Reported-by: kernel test robot <lkp@intel.com> > > --- > > include/linux/lsm_hook_defs.h | 1 + > > include/linux/lsm_hooks.h | 4 ++++ > > include/linux/security.h | 6 ++++++ > > mm/memfd.c | 5 +++++ > > security/security.c | 5 +++++ > > 5 files changed, 21 insertions(+) > > We typically require at least one in-tree LSM implementation to > accompany a new LSM hook. Beyond simply providing proof that the hook > has value, it helps provide a functional example both for reviewers as > well as future LSM implementations. Also, while the BPF LSM is > definitely "in-tree", its nature is such that the actual > implementation lives out-of-tree; something like SELinux, AppArmor, > Smack, etc. are much more desirable from an in-tree example > perspective. > Thanks for the comments. Would that be OK if I add a new LSM in the kernel to block executable memfd creation ? Alternatively, it might be possible to add this into SELinux or landlock, it will be a larger change. Thanks Jeff > -- > paul-moore.com
On 12/13/2022 7:00 AM, Jeff Xu wrote: > On Fri, Dec 9, 2022 at 10:29 AM Paul Moore <paul@paul-moore.com> wrote: >> On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote: >>> From: Jeff Xu <jeffxu@google.com> >>> >>> The new security_memfd_create allows lsm to check flags of >>> memfd_create. >>> >>> The security by default system (such as chromeos) can use this >>> to implement system wide lsm to allow only non-executable memfd >>> being created. >>> >>> Signed-off-by: Jeff Xu <jeffxu@google.com> >>> Reported-by: kernel test robot <lkp@intel.com> >>> --- >>> include/linux/lsm_hook_defs.h | 1 + >>> include/linux/lsm_hooks.h | 4 ++++ >>> include/linux/security.h | 6 ++++++ >>> mm/memfd.c | 5 +++++ >>> security/security.c | 5 +++++ >>> 5 files changed, 21 insertions(+) >> We typically require at least one in-tree LSM implementation to >> accompany a new LSM hook. Beyond simply providing proof that the hook >> has value, it helps provide a functional example both for reviewers as >> well as future LSM implementations. Also, while the BPF LSM is >> definitely "in-tree", its nature is such that the actual >> implementation lives out-of-tree; something like SELinux, AppArmor, >> Smack, etc. are much more desirable from an in-tree example >> perspective. >> > Thanks for the comments. > Would that be OK if I add a new LSM in the kernel to block executable > memfd creation ? > Alternatively, it might be possible to add this into SELinux or > landlock, it will be a larger change. I expect you'll get other opinions, but I'd be happy with a small LSM that does sophisticated memory fd controls. I also expect that the SELinux crew would like to see a hook included there. > > Thanks > > Jeff > > >> -- >> paul-moore.com
On Tue, Dec 13, 2022 at 10:00 AM Jeff Xu <jeffxu@google.com> wrote: > On Fri, Dec 9, 2022 at 10:29 AM Paul Moore <paul@paul-moore.com> wrote: > > On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote: > > > > > > From: Jeff Xu <jeffxu@google.com> > > > > > > The new security_memfd_create allows lsm to check flags of > > > memfd_create. > > > > > > The security by default system (such as chromeos) can use this > > > to implement system wide lsm to allow only non-executable memfd > > > being created. > > > > > > Signed-off-by: Jeff Xu <jeffxu@google.com> > > > Reported-by: kernel test robot <lkp@intel.com> > > > --- > > > include/linux/lsm_hook_defs.h | 1 + > > > include/linux/lsm_hooks.h | 4 ++++ > > > include/linux/security.h | 6 ++++++ > > > mm/memfd.c | 5 +++++ > > > security/security.c | 5 +++++ > > > 5 files changed, 21 insertions(+) > > > > We typically require at least one in-tree LSM implementation to > > accompany a new LSM hook. Beyond simply providing proof that the hook > > has value, it helps provide a functional example both for reviewers as > > well as future LSM implementations. Also, while the BPF LSM is > > definitely "in-tree", its nature is such that the actual > > implementation lives out-of-tree; something like SELinux, AppArmor, > > Smack, etc. are much more desirable from an in-tree example > > perspective. > > Thanks for the comments. > Would that be OK if I add a new LSM in the kernel to block executable > memfd creation ? If you would be proposing the LSM only to meet the requirement of providing an in-tree LSM example, no that would definitely *not* be okay. Proposing a new LSM involves documenting a meaningful security model, implementing it, developing tests, going through a (likely multi-step) review process, and finally accepting the long term maintenance responsibilities of this new LSM. If you are proposing a new LSM because you feel the current LSMs do not provide a security model which meets your needs, then yes, proposing a new LSM might be a good idea. However, if you are proposing a new LSM because you don't want to learn how to add a new hook to an existing LSM, then I suspect you are misguided/misinformed with the amount of work involved in submitting a new LSM. > Alternatively, it might be possible to add this into SELinux or > landlock, it will be a larger change. It will be a much smaller change than submitting a new LSM, and it would have infinitely more value to the community than a throw-away LSM where the only use-case is getting your code merged upstream.
On Tue, Dec 13, 2022 at 11:22 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Dec 13, 2022 at 10:00 AM Jeff Xu <jeffxu@google.com> wrote: > > On Fri, Dec 9, 2022 at 10:29 AM Paul Moore <paul@paul-moore.com> wrote: > > > On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote: > > > > > > > > From: Jeff Xu <jeffxu@google.com> > > > > > > > > The new security_memfd_create allows lsm to check flags of > > > > memfd_create. > > > > > > > > The security by default system (such as chromeos) can use this > > > > to implement system wide lsm to allow only non-executable memfd > > > > being created. > > > > > > > > Signed-off-by: Jeff Xu <jeffxu@google.com> > > > > Reported-by: kernel test robot <lkp@intel.com> > > > > --- > > > > include/linux/lsm_hook_defs.h | 1 + > > > > include/linux/lsm_hooks.h | 4 ++++ > > > > include/linux/security.h | 6 ++++++ > > > > mm/memfd.c | 5 +++++ > > > > security/security.c | 5 +++++ > > > > 5 files changed, 21 insertions(+) > > > > > > We typically require at least one in-tree LSM implementation to > > > accompany a new LSM hook. Beyond simply providing proof that the hook > > > has value, it helps provide a functional example both for reviewers as > > > well as future LSM implementations. Also, while the BPF LSM is > > > definitely "in-tree", its nature is such that the actual > > > implementation lives out-of-tree; something like SELinux, AppArmor, > > > Smack, etc. are much more desirable from an in-tree example > > > perspective. > > > > Thanks for the comments. > > Would that be OK if I add a new LSM in the kernel to block executable > > memfd creation ? > > If you would be proposing the LSM only to meet the requirement of > providing an in-tree LSM example, no that would definitely *not* be > okay. > > Proposing a new LSM involves documenting a meaningful security model, > implementing it, developing tests, going through a (likely multi-step) > review process, and finally accepting the long term maintenance > responsibilities of this new LSM. If you are proposing a new LSM > because you feel the current LSMs do not provide a security model > which meets your needs, then yes, proposing a new LSM might be a good > idea. However, if you are proposing a new LSM because you don't want > to learn how to add a new hook to an existing LSM, then I suspect you > are misguided/misinformed with the amount of work involved in > submitting a new LSM. > > > Alternatively, it might be possible to add this into SELinux or > > landlock, it will be a larger change. > > It will be a much smaller change than submitting a new LSM, and it > would have infinitely more value to the community than a throw-away > LSM where the only use-case is getting your code merged upstream. > Thanks, my original thought is this LSM will be used by ChromeOS, since all of its memfd shall be non-executable. That said, I see the community will benefit more with this in SELinux. I will work to add this in SELinux, appreciate help while I'm learning to add this. Jeff > -- > paul-moore.com
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ec119da1d89b..fd40840927c8 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -164,6 +164,7 @@ LSM_HOOK(int, 0, file_alloc_security, struct file *file) LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, unsigned long arg) +LSM_HOOK(int, 0, memfd_create, char *name, unsigned int flags) LSM_HOOK(int, 0, mmap_addr, unsigned long addr) LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4ec80b96c22e..5a18a6552278 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -543,6 +543,10 @@ * simple integer value. When @arg represents a user space pointer, it * should never be used by the security module. * Return 0 if permission is granted. + * @memfd_create: + * @name is the name of memfd file. + * @flags is the flags used in memfd_create. + * Return 0 if permission is granted. * @mmap_addr : * Check permissions for a mmap operation at @addr. * @addr contains virtual address that will be used for the operation. diff --git a/include/linux/security.h b/include/linux/security.h index ca1b7109c0db..5b87a780822a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -384,6 +384,7 @@ int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); +int security_memfd_create(char *name, unsigned int flags); int security_mmap_file(struct file *file, unsigned long prot, unsigned long flags); int security_mmap_addr(unsigned long addr); @@ -963,6 +964,11 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd, return 0; } +static inline int security_memfd_create(char *name, unsigned int flags) +{ + return 0; +} + static inline int security_mmap_file(struct file *file, unsigned long prot, unsigned long flags) { diff --git a/mm/memfd.c b/mm/memfd.c index 92f0a5765f7c..f04ed5f0474f 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -356,6 +356,11 @@ SYSCALL_DEFINE2(memfd_create, goto err_name; } + /* security hook for memfd_create */ + error = security_memfd_create(name, flags); + if (error) + return error; + if (flags & MFD_HUGETLB) { file = hugetlb_file_setup(name, 0, VM_NORESERVE, HUGETLB_ANONHUGE_INODE, diff --git a/security/security.c b/security/security.c index 79d82cb6e469..57788cf94075 100644 --- a/security/security.c +++ b/security/security.c @@ -1010,6 +1010,11 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb, } EXPORT_SYMBOL(security_sb_clone_mnt_opts); +int security_memfd_create(char *name, unsigned int flags) +{ + return call_int_hook(memfd_create, 0, name, flags); +} + int security_move_mount(const struct path *from_path, const struct path *to_path) { return call_int_hook(move_mount, 0, from_path, to_path);