From: Andy Lutomirski <luto@amacapital.net>
To: Daniel Colascione <dancol@google.com>
Cc: Jann Horn <jannh@google.com>,
Joel Fernandes <joel@joelfernandes.org>,
kernel list <linux-kernel@vger.kernel.org>,
John Reck <jreck@google.com>,
John Stultz <john.stultz@linaro.org>,
Todd Kjos <tkjos@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Christoph Hellwig <hch@infradead.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Bruce Fields <bfields@fieldses.org>,
Jeff Layton <jlayton@kernel.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
Lei.Yang@windriver.com, linux-fsdevel@vger.kernel.org,
linux-kselftest@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
marcandre.lureau@redhat.com,
Mike Kravetz <mike.kravetz@oracle.com>,
Minchan Kim <minchan@kernel.org>, Shuah Khan <shuah@kernel.org>,
valdis.kletnieks@vt.edu, Hugh Dickins <hughd@google.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Date: Fri, 9 Nov 2018 15:14:02 -0800 [thread overview]
Message-ID: <F8A6A5DC-3BA0-43BD-B7EC-EDE199B33A02@amacapital.net> (raw)
In-Reply-To: <CAKOZuetZrL10zWwn4Jzzg0QL2nd3Fm0JxGtzC79SZAfOK525Ag@mail.gmail.com>
> On Nov 9, 2018, at 2:42 PM, Daniel Colascione <dancol@google.com> wrote:
>
> On Fri, Nov 9, 2018 at 2:37 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> Another, more general fix might be to prevent /proc/pid/fd/N opens
>>> from "upgrading" access modes. But that'd be a bigger ABI break.
>>
>> I think we should fix that, too. I consider it a bug fix, not an ABI break, personally.
>
> Someone, somewhere is probably relying on it though, and that means
> that we probably can't change it unless it's actually causing
> problems.
>
> <mumble>spacebar heating</mumble>
I think it has caused problems in the past. It’s certainly extremely surprising behavior. I’d say it should be fixed and, if needed, a sysctl to unfix it might be okay.
>
>>>> That aside: I wonder whether a better API would be something that
>>>> allows you to create a new readonly file descriptor, instead of
>>>> fiddling with the writability of an existing fd.
>>>
>>> That doesn't work, unfortunately. The ashmem API we're replacing with
>>> memfd requires file descriptor continuity. I also looked into opening
>>> a new FD and dup2(2)ing atop the old one, but this approach doesn't
>>> work in the case that the old FD has already leaked to some other
>>> context (e.g., another dup, SCM_RIGHTS). See
>>> https://developer.android.com/ndk/reference/group/memory. We can't
>>> break ASharedMemory_setProt.
>>
>>
>> Hmm. If we fix the general reopen bug, a way to drop write access from an existing struct file would do what Android needs, right? I don’t know if there are general VFS issues with that.
>
> I also proposed that. :-) Maybe it'd work best as a special case of
> the perennial revoke(2) that people keep proposing. You'd be able to
> selectively revoke all access or just write access.
Sounds good to me, modulo possible races, but that shouldn’t be too hard to deal with.
WARNING: multiple messages have this Message-ID (diff)
From: luto at amacapital.net (Andy Lutomirski)
Subject: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Date: Fri, 9 Nov 2018 15:14:02 -0800 [thread overview]
Message-ID: <F8A6A5DC-3BA0-43BD-B7EC-EDE199B33A02@amacapital.net> (raw)
In-Reply-To: <CAKOZuetZrL10zWwn4Jzzg0QL2nd3Fm0JxGtzC79SZAfOK525Ag@mail.gmail.com>
> On Nov 9, 2018, at 2:42 PM, Daniel Colascione <dancol at google.com> wrote:
>
> On Fri, Nov 9, 2018 at 2:37 PM, Andy Lutomirski <luto at amacapital.net> wrote:
>>> Another, more general fix might be to prevent /proc/pid/fd/N opens
>>> from "upgrading" access modes. But that'd be a bigger ABI break.
>>
>> I think we should fix that, too. I consider it a bug fix, not an ABI break, personally.
>
> Someone, somewhere is probably relying on it though, and that means
> that we probably can't change it unless it's actually causing
> problems.
>
> <mumble>spacebar heating</mumble>
I think it has caused problems in the past. It’s certainly extremely surprising behavior. I’d say it should be fixed and, if needed, a sysctl to unfix it might be okay.
>
>>>> That aside: I wonder whether a better API would be something that
>>>> allows you to create a new readonly file descriptor, instead of
>>>> fiddling with the writability of an existing fd.
>>>
>>> That doesn't work, unfortunately. The ashmem API we're replacing with
>>> memfd requires file descriptor continuity. I also looked into opening
>>> a new FD and dup2(2)ing atop the old one, but this approach doesn't
>>> work in the case that the old FD has already leaked to some other
>>> context (e.g., another dup, SCM_RIGHTS). See
>>> https://developer.android.com/ndk/reference/group/memory. We can't
>>> break ASharedMemory_setProt.
>>
>>
>> Hmm. If we fix the general reopen bug, a way to drop write access from an existing struct file would do what Android needs, right? I don’t know if there are general VFS issues with that.
>
> I also proposed that. :-) Maybe it'd work best as a special case of
> the perennial revoke(2) that people keep proposing. You'd be able to
> selectively revoke all access or just write access.
Sounds good to me, modulo possible races, but that shouldn’t be too hard to deal with.
WARNING: multiple messages have this Message-ID (diff)
From: luto@amacapital.net (Andy Lutomirski)
Subject: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Date: Fri, 9 Nov 2018 15:14:02 -0800 [thread overview]
Message-ID: <F8A6A5DC-3BA0-43BD-B7EC-EDE199B33A02@amacapital.net> (raw)
Message-ID: <20181109231402.d4YbSK64qeSmFbQClCBBjPJwV3vSu1oxEhDo5h9nVKA@z> (raw)
In-Reply-To: <CAKOZuetZrL10zWwn4Jzzg0QL2nd3Fm0JxGtzC79SZAfOK525Ag@mail.gmail.com>
> On Nov 9, 2018,@2:42 PM, Daniel Colascione <dancol@google.com> wrote:
>
> On Fri, Nov 9, 2018@2:37 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> Another, more general fix might be to prevent /proc/pid/fd/N opens
>>> from "upgrading" access modes. But that'd be a bigger ABI break.
>>
>> I think we should fix that, too. I consider it a bug fix, not an ABI break, personally.
>
> Someone, somewhere is probably relying on it though, and that means
> that we probably can't change it unless it's actually causing
> problems.
>
> <mumble>spacebar heating</mumble>
I think it has caused problems in the past. It’s certainly extremely surprising behavior. I’d say it should be fixed and, if needed, a sysctl to unfix it might be okay.
>
>>>> That aside: I wonder whether a better API would be something that
>>>> allows you to create a new readonly file descriptor, instead of
>>>> fiddling with the writability of an existing fd.
>>>
>>> That doesn't work, unfortunately. The ashmem API we're replacing with
>>> memfd requires file descriptor continuity. I also looked into opening
>>> a new FD and dup2(2)ing atop the old one, but this approach doesn't
>>> work in the case that the old FD has already leaked to some other
>>> context (e.g., another dup, SCM_RIGHTS). See
>>> https://developer.android.com/ndk/reference/group/memory. We can't
>>> break ASharedMemory_setProt.
>>
>>
>> Hmm. If we fix the general reopen bug, a way to drop write access from an existing struct file would do what Android needs, right? I don’t know if there are general VFS issues with that.
>
> I also proposed that. :-) Maybe it'd work best as a special case of
> the perennial revoke(2) that people keep proposing. You'd be able to
> selectively revoke all access or just write access.
Sounds good to me, modulo possible races, but that shouldn’t be too hard to deal with.
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net>
To: Daniel Colascione <dancol@google.com>
Cc: Jann Horn <jannh@google.com>,
Joel Fernandes <joel@joelfernandes.org>,
kernel list <linux-kernel@vger.kernel.org>,
John Reck <jreck@google.com>,
John Stultz <john.stultz@linaro.org>,
Todd Kjos <tkjos@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Christoph Hellwig <hch@infradead.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Bruce Fields <bfields@fieldses.org>,
Jeff Layton <jlayton@kernel.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
Lei.Yang@windriver.com, linux-fsdevel@vger.kernel.org,
linux-kselftest@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
marcandre.lureau@redhat.com,
Mike Kravetz <mike.kravetz@oracle.com>,
Minchan Kim <minchan@kernel.org>, Shuah Khan <shuah@kernel.org>,
valdis.kletnieks@vt
Subject: Re: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd
Date: Fri, 9 Nov 2018 15:14:02 -0800 [thread overview]
Message-ID: <F8A6A5DC-3BA0-43BD-B7EC-EDE199B33A02@amacapital.net> (raw)
In-Reply-To: <CAKOZuetZrL10zWwn4Jzzg0QL2nd3Fm0JxGtzC79SZAfOK525Ag@mail.gmail.com>
> On Nov 9, 2018, at 2:42 PM, Daniel Colascione <dancol@google.com> wrote:
>
> On Fri, Nov 9, 2018 at 2:37 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> Another, more general fix might be to prevent /proc/pid/fd/N opens
>>> from "upgrading" access modes. But that'd be a bigger ABI break.
>>
>> I think we should fix that, too. I consider it a bug fix, not an ABI break, personally.
>
> Someone, somewhere is probably relying on it though, and that means
> that we probably can't change it unless it's actually causing
> problems.
>
> <mumble>spacebar heating</mumble>
I think it has caused problems in the past. It’s certainly extremely surprising behavior. I’d say it should be fixed and, if needed, a sysctl to unfix it might be okay.
>
>>>> That aside: I wonder whether a better API would be something that
>>>> allows you to create a new readonly file descriptor, instead of
>>>> fiddling with the writability of an existing fd.
>>>
>>> That doesn't work, unfortunately. The ashmem API we're replacing with
>>> memfd requires file descriptor continuity. I also looked into opening
>>> a new FD and dup2(2)ing atop the old one, but this approach doesn't
>>> work in the case that the old FD has already leaked to some other
>>> context (e.g., another dup, SCM_RIGHTS). See
>>> https://developer.android.com/ndk/reference/group/memory. We can't
>>> break ASharedMemory_setProt.
>>
>>
>> Hmm. If we fix the general reopen bug, a way to drop write access from an existing struct file would do what Android needs, right? I don’t know if there are general VFS issues with that.
>
> I also proposed that. :-) Maybe it'd work best as a special case of
> the perennial revoke(2) that people keep proposing. You'd be able to
> selectively revoke all access or just write access.
Sounds good to me, modulo possible races, but that shouldn’t be too hard to deal with.
next prev parent reply other threads:[~2018-11-09 23:14 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 4:15 [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd Joel Fernandes (Google)
2018-11-08 4:15 ` Joel Fernandes (Google)
2018-11-08 4:15 ` joel
2018-11-08 4:15 ` [PATCH v3 resend 2/2] selftests/memfd: Add tests for F_SEAL_FUTURE_WRITE seal Joel Fernandes (Google)
2018-11-08 4:15 ` Joel Fernandes (Google)
2018-11-08 4:15 ` joel
2018-11-09 8:49 ` [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd Joel Fernandes
2018-11-09 8:49 ` Joel Fernandes
2018-11-09 8:49 ` joel
2018-11-09 20:36 ` Andrew Morton
2018-11-09 20:36 ` Andrew Morton
2018-11-09 20:36 ` akpm
2018-11-10 3:54 ` Joel Fernandes
2018-11-10 3:54 ` Joel Fernandes
2018-11-10 3:54 ` joel
2018-11-09 21:06 ` Jann Horn
2018-11-09 21:06 ` Jann Horn
2018-11-09 21:06 ` jannh
2018-11-09 21:19 ` Jann Horn
2018-11-09 21:19 ` Jann Horn
2018-11-09 21:19 ` jannh
2018-11-10 3:20 ` Joel Fernandes
2018-11-10 3:20 ` Joel Fernandes
2018-11-10 3:20 ` joel
2018-11-10 6:05 ` Andy Lutomirski
2018-11-10 6:05 ` Andy Lutomirski
2018-11-10 6:05 ` Andy Lutomirski
2018-11-10 6:05 ` luto
2018-11-10 18:24 ` Joel Fernandes
2018-11-10 18:24 ` Joel Fernandes
2018-11-10 18:24 ` Joel Fernandes
2018-11-10 18:24 ` Joel Fernandes
2018-11-10 18:24 ` joel
2018-11-10 18:45 ` Daniel Colascione
2018-11-10 18:45 ` Daniel Colascione
2018-11-10 18:45 ` Daniel Colascione
2018-11-10 18:45 ` dancol
2018-11-10 19:11 ` Daniel Colascione
2018-11-10 19:11 ` Daniel Colascione
2018-11-10 19:11 ` Daniel Colascione
2018-11-10 19:11 ` dancol
2018-11-10 19:55 ` Andy Lutomirski
2018-11-10 19:55 ` Andy Lutomirski
2018-11-10 19:55 ` Andy Lutomirski
2018-11-10 19:55 ` luto
2018-11-10 22:09 ` Joel Fernandes
2018-11-10 22:09 ` Joel Fernandes
2018-11-10 22:09 ` Joel Fernandes
2018-11-10 22:09 ` Joel Fernandes
2018-11-10 22:09 ` joel
2018-11-10 22:18 ` Andy Lutomirski
2018-11-10 22:18 ` Andy Lutomirski
2018-11-10 22:18 ` Andy Lutomirski
2018-11-10 22:18 ` luto
2018-11-11 2:38 ` Joel Fernandes
2018-11-11 2:38 ` Joel Fernandes
2018-11-11 2:38 ` Joel Fernandes
2018-11-11 2:38 ` Joel Fernandes
2018-11-11 2:38 ` joel
2018-11-11 3:40 ` Andy Lutomirski
2018-11-11 3:40 ` Andy Lutomirski
2018-11-11 3:40 ` Andy Lutomirski
2018-11-11 3:40 ` luto
2018-11-11 4:01 ` Joel Fernandes
2018-11-11 4:01 ` Joel Fernandes
2018-11-11 4:01 ` Joel Fernandes
2018-11-11 4:01 ` Joel Fernandes
2018-11-11 4:01 ` joel
2018-11-11 8:09 ` Joel Fernandes
2018-11-11 8:09 ` Joel Fernandes
2018-11-11 8:09 ` Joel Fernandes
2018-11-11 8:09 ` Joel Fernandes
2018-11-11 8:09 ` joel
2018-11-11 8:30 ` Daniel Colascione
2018-11-11 8:30 ` Daniel Colascione
2018-11-11 8:30 ` Daniel Colascione
2018-11-11 8:30 ` dancol
2018-11-11 15:14 ` Andy Lutomirski
2018-11-11 15:14 ` Andy Lutomirski
2018-11-11 15:14 ` Andy Lutomirski
2018-11-11 15:14 ` luto
2018-11-11 17:36 ` Joel Fernandes
2018-11-11 17:36 ` Joel Fernandes
2018-11-11 17:36 ` Joel Fernandes
2018-11-11 17:36 ` Joel Fernandes
2018-11-11 17:36 ` joel
2018-11-10 12:26 ` Daniel Colascione
2018-11-10 17:10 ` Joel Fernandes
2018-11-10 17:10 ` Joel Fernandes
2018-11-10 17:10 ` Joel Fernandes
2018-11-10 17:10 ` joel
2018-11-09 21:40 ` Andy Lutomirski
2018-11-09 21:40 ` Andy Lutomirski
2018-11-09 21:40 ` luto
2018-11-09 20:02 ` Michael Tirado
2018-11-09 20:02 ` Michael Tirado
2018-11-09 20:02 ` mtirado418
2018-11-10 1:49 ` Joel Fernandes
2018-11-10 1:49 ` Joel Fernandes
2018-11-10 1:49 ` joel
2018-11-09 22:20 ` Daniel Colascione
2018-11-09 22:20 ` Daniel Colascione
2018-11-09 22:20 ` Daniel Colascione
2018-11-09 22:20 ` dancol
2018-11-09 22:37 ` Andy Lutomirski
2018-11-09 22:37 ` Andy Lutomirski
2018-11-09 22:37 ` Andy Lutomirski
2018-11-09 22:37 ` luto
2018-11-09 22:42 ` Daniel Colascione
2018-11-09 22:42 ` Daniel Colascione
2018-11-09 22:42 ` Daniel Colascione
2018-11-09 22:42 ` dancol
2018-11-09 23:14 ` Andy Lutomirski [this message]
2018-11-09 23:14 ` Andy Lutomirski
2018-11-09 23:14 ` Andy Lutomirski
2018-11-09 23:14 ` luto
2018-11-10 1:36 ` Joel Fernandes
2018-11-10 1:36 ` Joel Fernandes
2018-11-10 1:36 ` Joel Fernandes
2018-11-10 1:36 ` Joel Fernandes
2018-11-10 1:36 ` joel
2018-11-09 23:46 ` Joel Fernandes
2018-11-09 23:46 ` Joel Fernandes
2018-11-09 23:46 ` joel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F8A6A5DC-3BA0-43BD-B7EC-EDE199B33A02@amacapital.net \
--to=luto@amacapital.net \
--cc=Lei.Yang@windriver.com \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=dancol@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=joel@joelfernandes.org \
--cc=john.stultz@linaro.org \
--cc=jreck@google.com \
--cc=khalid.aziz@oracle.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=marcandre.lureau@redhat.com \
--cc=mike.kravetz@oracle.com \
--cc=minchan@kernel.org \
--cc=shuah@kernel.org \
--cc=tkjos@google.com \
--cc=valdis.kletnieks@vt.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.