From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F30CCC5DF60 for ; Tue, 5 Nov 2019 17:02:49 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B3D842087E for ; Tue, 5 Nov 2019 17:02:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QDlUNpXd" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B3D842087E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 370F06B000E; Tue, 5 Nov 2019 12:02:49 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3215A6B0010; Tue, 5 Nov 2019 12:02:49 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 210C66B0266; Tue, 5 Nov 2019 12:02:49 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0170.hostedemail.com [216.40.44.170]) by kanga.kvack.org (Postfix) with ESMTP id 0A6876B000E for ; Tue, 5 Nov 2019 12:02:49 -0500 (EST) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id BC245181AEF1D for ; Tue, 5 Nov 2019 17:02:48 +0000 (UTC) X-FDA: 76122843216.13.death75_35881b224e52b X-HE-Tag: death75_35881b224e52b X-Filterd-Recvd-Size: 5047 Received: from mail-lf1-f65.google.com (mail-lf1-f65.google.com [209.85.167.65]) by imf38.hostedemail.com (Postfix) with ESMTP for ; Tue, 5 Nov 2019 17:02:47 +0000 (UTC) Received: by mail-lf1-f65.google.com with SMTP id f5so15715809lfp.1 for ; Tue, 05 Nov 2019 09:02:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3LbJPI0FDJ0eEH2iVM7vPGyU9geutYVr1qL8gmhIfHE=; b=QDlUNpXdd3Dyvqcp0bF9C4VAE6LpyEAfN3KCcFBDOBEqH3n8L0ZpW+QnevnXgO+jYu Qk8o1QZ5B54+yqYQT3t1wn/SYX8uoo4FtQ1RoMpU13Ly74nWaZ0DpB6c+SSSrHAm2jOf zyStjxIvVVyjTHDy76iWx/Fk+mv4DLTBXicRDuPGAVTUhNzNrCPpjPK7KNIliqLxmqiB 7T85gjDMOw7LSetpqnnY8SLtjNFCld4SIVi8OEtT4kdKKV7JOiysKXHmaTOJOxh+RA7i sp0okHC4thvaKKudFX+HbfOenxmYBJ8YHGdTvAjMhkrw0vRQ1VRkfjrtXACS9VQBneMH 4yMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LbJPI0FDJ0eEH2iVM7vPGyU9geutYVr1qL8gmhIfHE=; b=H03kvp2+rBCsdPFSariEWYoyRGl81w+fIwG1jEmR69Qi4X5u3nEVoV+4qJQH53cZtv JVCdhXyxzw+dNF4aZ/6iBapeHCe9m7PR4KcU9+0Qk1TMCWLGjrDqQJ+i7iB0JqDHlc+4 r711OwPP5FOvB7R3S44tA+OrLH/F3aoliQ4Dq/6odLNhDcPr8koENDtT5ocIbRvpjbVD vCic7tzPx+N5Lh2b080pgN457kd+Lp5jLgKGwI1022RlmD+OETJK9DL4abbYy/DLg+9F AMka+77YFVLC0Fqmrq7Mb7sFyFY9rVFX/bEfA8XH+jYZVeNG2B0u15gFMf5Y6Hq4PUXl +5ug== X-Gm-Message-State: APjAAAWP/rpMiLA3nx0+LEnHEZcspqnhKLPpLxTFjlOnTT0RbbDK16Yi MC49kFRNrCVjWfD4vZxU0sRV2VU7Qx8eiIB46Yn0iA== X-Google-Smtp-Source: APXvYqxoAZZ3CBPgeWIOEoK9yoKNl+AObjnu16/uWXH4QNCI609JrFh7R0bTPoVuzjjLAldIucXdfUSSf/LzD/JxH1Y= X-Received: by 2002:a19:8582:: with SMTP id h124mr9689722lfd.64.1572973365922; Tue, 05 Nov 2019 09:02:45 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> <20191105163316.GI30717@redhat.com> <20191105165556.GK30717@redhat.com> In-Reply-To: <20191105165556.GK30717@redhat.com> From: Daniel Colascione Date: Tue, 5 Nov 2019 09:02:09 -0800 Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Andrea Arcangeli Cc: Andy Lutomirski , Mike Rapoport , linux-kernel , Andrew Morton , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Nov 5, 2019 at 8:56 AM Andrea Arcangeli wrote: > > On Tue, Nov 05, 2019 at 08:39:26AM -0800, Daniel Colascione wrote: > > I'm not suggesting that we fail userfaultfd(2) without CAP_SYS_PTRACE. > > That would, as you point out, break things. I'm talking about > > recording *whether* we had CAP_SYS_PTRACE in an internal flag in the > > uffd context when we create the thing --- and then, at ioctl time, > > checking that flag, not the caller's CAP_SYS_PTRACE, to see whether > > UFFD_FEATURE_EVENT_FORK should be made available. This way, the > > security check hinges on whether the caller *at create time* was > > privileged. > > Until now it wasn't clear to me you still wanted to do the permission > check in UFFDIO_API time, and you only intended to move the > "measurement" of the capability to the syscall. > > So you're suggesting to add more kernel complexity to code pending for > removal to achieve a theoretically more pure solution in the band-aid > required to defer the removal of the posix-breaking read > implementation of the uffd fork feature? And you're suggesting making a security check work weirdly unlike most other security checks because you hope it'll get removed one day? Temporary solutions aren't, and if something goes into the kernel at all, it's worth getting right. The general rule is that access checks happen at open time. The kernel has already been bitten by UFFD exempting itself from the normal rules (e.g., the read(2)-makes-a-file-descriptor thing) in the name of expediency. There shouldn't be any more exceptions.