From: Andrea Arcangeli <aarcange@redhat.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>,
Daniel Colascione <dancol@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Lokesh Gidra <lokeshgidra@google.com>,
Nick Kralevich <nnk@google.com>, Nosh Minwalla <nosh@google.com>,
Tim Murray <timmurray@google.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Linux API <linux-api@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API.
Date: Wed, 23 Oct 2019 18:41:10 -0400 [thread overview]
Message-ID: <20191023224110.GE9902@redhat.com> (raw)
In-Reply-To: <CALCETrVS_Ym9wpvTP-ys-OBKCgg7QQjPdhJZe5YXJ6e8JQkNQQ@mail.gmail.com>
On Wed, Oct 23, 2019 at 02:25:35PM -0700, Andy Lutomirski wrote:
> That doesn't solve the problem. With your time machine, you should
Would you elaborate what problem remains if execve closes all uffd
so that read() cannot run post execve?
> instead use ioctl() or recvmsg().
The event delivery is modeled after eventfd.c per userfaultfd.c header
file, so would then eventfd also need to be converted to ioctl or
recvmsg to deliver its event any better? Initially I evaluated to use
eventfd for it in fact, but it wasn't possible. I didn't look like it
could get any better than eventfd in terms of event delivery.
Or do you refer to single out only the delivery of the UFFD_EVENT_FORK
event not through read()?
> > 4) enforce the global root permission check when creating the uffd only if
> > UFFD_FEATURE_EVENT_FORK is set.
>
> This could work, but we should also add a better way to do
> UFFD_FEATURE_EVENT_FORK and get CRIU to start using it. If CRIU is
> the only user, we can probably drop the old ABI after a couple of
> releases, since as far as I know, CRIU users need to upgrade their
> CRIU more or less in sync with the kernel so that new kernel features
> get checkpointed and restored.
Getting CRIU stat using it shouldn't be a problem at all, but we'll be
back to square one if you just stop there.
I don't see how to lift those limitations in the wiki to make it
usable in production by just providing a better way to do
UFFD_FEATURE_EVENT_FORK.
If you're volunteering to fix the limitations and make CRIU usable in
production that would be awesome, then of course we should do whatever
possible to improve UFFD_FEATURE_EVENT_FORK.
Thanks,
Andrea
next prev parent reply other threads:[~2019-10-23 22:41 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-12 19:15 [PATCH 0/7] Harden userfaultfd Daniel Colascione
2019-10-12 19:15 ` [PATCH 1/7] Add a new flags-accepting interface for anonymous inodes Daniel Colascione
2019-10-14 4:26 ` kbuild test robot
2019-10-14 15:38 ` Jann Horn
2019-10-14 18:15 ` Daniel Colascione
2019-10-14 18:30 ` Jann Horn
2019-10-15 8:08 ` Christoph Hellwig
2019-10-12 19:15 ` [PATCH 2/7] Add a concept of a "secure" anonymous file Daniel Colascione
2019-10-14 3:01 ` kbuild test robot
2019-10-15 8:08 ` Christoph Hellwig
2019-10-12 19:15 ` [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API Daniel Colascione
2019-10-12 23:10 ` Andy Lutomirski
2019-10-13 0:51 ` Daniel Colascione
2019-10-13 1:14 ` Andy Lutomirski
2019-10-13 1:38 ` Daniel Colascione
2019-10-14 16:04 ` Jann Horn
2019-10-23 19:09 ` Andrea Arcangeli
2019-10-23 19:21 ` Andy Lutomirski
2019-10-23 21:16 ` Andrea Arcangeli
2019-10-23 21:25 ` Andy Lutomirski
2019-10-23 22:41 ` Andrea Arcangeli [this message]
2019-10-23 23:01 ` Andy Lutomirski
2019-10-23 23:27 ` Andrea Arcangeli
2019-10-23 20:05 ` Daniel Colascione
2019-10-24 0:23 ` Andrea Arcangeli
2019-10-23 20:15 ` Linus Torvalds
2019-10-24 9:02 ` Mike Rapoport
2019-10-24 15:10 ` Andrea Arcangeli
2019-10-25 20:12 ` Mike Rapoport
2019-10-22 21:27 ` Daniel Colascione
2019-10-23 4:11 ` Andy Lutomirski
2019-10-23 7:29 ` Cyrill Gorcunov
2019-10-23 12:43 ` Mike Rapoport
2019-10-23 17:13 ` Andy Lutomirski
2019-10-12 19:15 ` [PATCH 4/7] Teach SELinux about a new userfaultfd class Daniel Colascione
2019-10-12 23:08 ` Andy Lutomirski
2019-10-13 0:11 ` Daniel Colascione
2019-10-13 0:46 ` Andy Lutomirski
2019-10-12 19:16 ` [PATCH 5/7] Let userfaultfd opt out of handling kernel-mode faults Daniel Colascione
2019-10-12 19:16 ` [PATCH 6/7] Allow users to require UFFD_SECURE Daniel Colascione
2019-10-12 23:12 ` Andy Lutomirski
2019-10-12 19:16 ` [PATCH 7/7] Add a new sysctl for limiting userfaultfd to user mode faults Daniel Colascione
2019-10-16 0:02 ` [PATCH 0/7] Harden userfaultfd James Morris
2019-11-15 15:09 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191023224110.GE9902@redhat.com \
--to=aarcange@redhat.com \
--cc=dancol@google.com \
--cc=dgilbert@redhat.com \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=luto@kernel.org \
--cc=nnk@google.com \
--cc=nosh@google.com \
--cc=rppt@linux.vnet.ibm.com \
--cc=timmurray@google.com \
--cc=torvalds@linux-foundation.org \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).