[RFC,v2,1/2] memfd,lsm: add a security hook to memfd_create()

Commit Message

Fan Wu Jan. 29, 2025, 8:39 p.m. UTC

From: Fan Wu <wufan@kernel.org>

This patch adds a new LSM hook that notifies the security subsystem
whenever a new memfd is created by memfd_create(). The hook is invoked
before fd_install() inside memfd_create(), allowing the LSM to
differentiate memfd files from regular shmemfs or hugetlbfs files that
share the same superblock.

Upon receiving this notification, the security system can label
the memfd files thereafter the lsms can make security decision
specifically for them.

Signed-off-by: Fan Wu <wufan@kernel.org>
---
 include/linux/lsm_hook_defs.h |  3 +++
 include/linux/security.h      |  8 ++++++++
 mm/memfd.c                    |  2 ++
 security/security.c           | 11 +++++++++++
 4 files changed, 24 insertions(+)

Patch

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index e2f1ce37c41e..1c0a9953c924 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -463,3 +463,6 @@  LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
 LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
 LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev,
 	 enum lsm_integrity_type type, const void *value, size_t size)
+
+LSM_HOOK(void, 0, memfd_created, struct file *file)
+
diff --git a/include/linux/security.h b/include/linux/security.h
index 980b6c207cad..40ae79270eaf 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2386,4 +2386,12 @@  static inline void security_initramfs_populated(void)
 }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY
+extern void security_memfd_created(struct file *file);
+#else
+static inline void security_memfd_created(struct file *file)
+{
+}
+#endif /* CONFIG_SECURITY */
+
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/mm/memfd.c b/mm/memfd.c
index 37f7be57c2f5..597d27ccb0b6 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -19,6 +19,7 @@ 
 #include <linux/shmem_fs.h>
 #include <linux/memfd.h>
 #include <linux/pid_namespace.h>
+#include <linux/security.h>
 #include <uapi/linux/memfd.h>
 
 /*
@@ -483,6 +484,7 @@  SYSCALL_DEFINE2(memfd_create,
 		goto err_fd;
 	}
 
+	security_memfd_created(file);
 	fd_install(fd, file);
 	kfree(name);
 	return fd;
diff --git a/security/security.c b/security/security.c
index 143561ebc3e8..daa9e0e0e879 100644
--- a/security/security.c
+++ b/security/security.c
@@ -6010,3 +6010,14 @@  void security_initramfs_populated(void)
 {
 	call_void_hook(initramfs_populated);
 }
+
+/**
+ * security_memfd_created() - Notify LSMs that a memfd has been created
+ *
+ * Tells the LSMs that a memfd has been created.
+ */
+void security_memfd_created(struct file *file)
+{
+	call_void_hook(memfd_created, file);
+}
+