Files
linux-stable-mirror/include/linux
Shivank GargandGreg Kroah-Hartman e3eed01347 fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
[ Upstream commit cbe4134ea4 ]

Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
anonymous inodes with proper security context. This replaces the current
pattern of calling alloc_anon_inode() followed by
inode_init_security_anon() for creating security context manually.

This change also fixes a security regression in secretmem where the
S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
LSM/SELinux checks to be bypassed for secretmem file descriptors.

As guest_memfd currently resides in the KVM module, we need to export this
symbol for use outside the core kernel. In the future, guest_memfd might be
moved to core-mm, at which point the symbols no longer would have to be
exported. When/if that happens is still unclear.

Fixes: 2bfe15c526 ("mm: create security context for memfd_secret inodes")
Suggested-by: David Hildenbrand <david@redhat.com>
Suggested-by: Mike Rapoport <rppt@kernel.org>
Signed-off-by: Shivank Garg <shivankg@amd.com>
Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com
Acked-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-07-10 16:03:18 +02:00
..
2025-05-09 09:43:58 +02:00
2024-12-14 19:59:58 +01:00
2025-07-06 11:00:16 +02:00
2025-02-08 09:52:02 +01:00
2025-01-09 13:31:41 +01:00
2025-04-25 10:45:31 +02:00
2025-02-08 09:52:38 +01:00
2025-03-28 21:59:55 +01:00
2025-01-23 17:21:12 +01:00
2025-01-09 13:31:41 +01:00
2025-02-01 18:37:51 +01:00
2025-02-27 04:10:50 -08:00
2025-05-22 14:12:12 +02:00