From: Shivank Garg <shivankg@amd.com> mainline inclusion from mainline-v6.16-rc5 commit cbe4134ea4bc493239786220bd69cb8a13493190 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICNXJB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon() for creating security context manually. This change also fixes a security regression in secretmem where the S_PRIVATE flag was not cleared after alloc_anon_inode(), causing LSM/SELinux checks to be bypassed for secretmem file descriptors. As guest_memfd currently resides in the KVM module, we need to export this symbol for use outside the core kernel. In the future, guest_memfd might be moved to core-mm, at which point the symbols no longer would have to be exported. When/if that happens is still unclear. Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes") Suggested-by: David Hildenbrand <david@redhat.com> Suggested-by: Mike Rapoport <rppt@kernel.org> Signed-off-by: Shivank Garg <shivankg@amd.com> Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com Acked-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org> Conflicts: fs/anon_inodes.c include/linux/fs.h mm/secretmem.c [ The pre-refactoring commit e7e832ce6fa76 ("fs: add LSM-supporting anon-inode interface") and the supporting anon_inode_operations were not merged, resulting in significant conflicts. This patch primarily addresses the issue of cleaning up the private field to prevent permission check bypass. In this backport, the issue is directly fixed in secretmem_file_create. ] Reviewed-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com> --- mm/secretmem.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/secretmem.c b/mm/secretmem.c index 399552814fd0..88fbd3598207 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -200,10 +200,15 @@ static struct file *secretmem_file_create(unsigned long flags) inode = alloc_anon_inode(secretmem_mnt->mnt_sb); if (IS_ERR(inode)) return ERR_CAST(inode); + /* + * Not clear S_PRIVATE may cause LSM/SELinux checks to be + * bypassed for secretmem file descriptors. + */ + inode->i_flags &= ~S_PRIVATE; err = security_inode_init_security_anon(inode, &qname, NULL); if (err) { file = ERR_PTR(err); goto err_free_inode; } -- 2.43.0