Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1248822imu; Fri, 9 Nov 2018 13:20:11 -0800 (PST) X-Google-Smtp-Source: AJdET5ctuPZuF4xi5YoXUvGC54ESvsHs8eYrUKkjG1N6aCaBfnAkSjnhsEneRqjqd+QHnz6qHMjC X-Received: by 2002:a62:507:: with SMTP id 7-v6mr10635519pff.80.1541798411576; Fri, 09 Nov 2018 13:20:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541798411; cv=none; d=google.com; s=arc-20160816; b=dVwWmavcOKvYjLYo3WxQ5exjkOYfaZcTmrjw6JkiQsQS6ILkyUUQxXTaAbQt9L2Etp jbK+lLQ53yxxnqcApENSHuITeiUtv/tejcWnWgH+3kcvXUu6Vj557D5IM4WxsVWEXGCm X/m1W6XV9eocc3i3TkxnGKDZIfdKqbI4W9qf1VFiRaMKQnZ8O4IU2pG4Xria8IONZSi3 a2MLWlZEcu2ebojR8iaNy5KXLY28XIB3CKTEk8ZTmn5fsp21rFNr+D1rHtUEpTintCB8 FIY8hFZkCa8uMsQVBYMHa3qPsp00QDa2aZxsn0mPTxeVM7pa1Ao4SDug4YhpdZxNS81j 32AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=1uPTTTRfBBUmhrV7HkwLUyi9TvQ18jgLmCuRVixcUFM=; b=UT+05qOfgB4llK051G0RSBqdr/xURfiP0fQNlscSe5YpypzeJKu0tMzWaONn61Tbff DHBW6QSsK0JGGXR3d2S7CP7oss5go15zEwMHtacRv6aYnBdvsTE3NwEsEgdEltPCf7/R aegbGN6vaAM1xh8VCj56naTT4RZOa7vtgAufey/VR3e/+FH6VCg3y79lSfsnbjtlqKnC V8VkS3n9+tMIepUwNoEtSnwfHWgvgRP0L/XZ4vELbJh698cgHxF6TXmoarUX3jWabGdB ZSK91/uqOiB+XN4T3Zr1xWUqbxWSSC7jdfOHKdE67uXY+QGCGxmq0sHez7EivyvcBaI7 8u8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mNc03Un0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2-v6si9800159pla.223.2018.11.09.13.19.55; Fri, 09 Nov 2018 13:20:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mNc03Un0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727979AbeKJHBx (ORCPT + 99 others); Sat, 10 Nov 2018 02:01:53 -0500 Received: from mail-ot1-f66.google.com ([209.85.210.66]:45719 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725799AbeKJHBx (ORCPT ); Sat, 10 Nov 2018 02:01:53 -0500 Received: by mail-ot1-f66.google.com with SMTP id 32so2373547ota.12 for ; Fri, 09 Nov 2018 13:19:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1uPTTTRfBBUmhrV7HkwLUyi9TvQ18jgLmCuRVixcUFM=; b=mNc03Un05t32DPuvTXCqgJ6zyMbgFSmMAwqTgC1oyfoNDZ3MLGeXDsDODxT/aAe67I aTNO6tL0ILk7e0omr8AxfaGr4cxTXqS5xEKQbSHeOYbtsmTZOVIV0rz0ttmkEAfJ3rx4 KB54AvNoPRG3FomVb6qFLBA2eO+yuTSlaeTs3fnIJpdEn7AgoOJbYEMG60w5Y6Ym1NVb fKMOow4ysm7T9ze5myRedFfLa22lI52hpfKUx5dIN2BT77/rXAPd24OuUJ3TzEJZL7Ic SAreYwrV4LpH6RwP8Sc0xqYbuA4vRAf9ck26BIhOHqA3o4TMVxBWivs3cW3YqVqbgg08 HGrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1uPTTTRfBBUmhrV7HkwLUyi9TvQ18jgLmCuRVixcUFM=; b=j/J7Nrg+MH6tkwKdN6fx+1J66DKON7WCKAs4sOF0fQyGEZfGmOiqUvgjoC4qNtviDy DtGypZBXbwSU3Lman9X2IlsSBHe48nqutKNgmIh2bWd0Wyr19V62b9hMSvBY+Zs3nvSA VC/Vuz7p9Je3cG2DfQjLQOlyL0pIENUoO82o1brmzDtIZJ/5NN8Ws73O2gJkCfbI3iKr jD85E8t9S66jUbYlpByNN3y2/2PgSVGpgrIdYO8EAD+lJAjhk+tEd29mG/GXmCgSmZet KK6N7HTcdRwgDmIsJY59IGJcBr9H1c+W8Ve1ZnhZ1ysEZaOF5AYb1aNN38mXvxRrrbDg Pc8w== X-Gm-Message-State: AGRZ1gLM2FxXgSQKNtvZ41UCPAwQwomgznU82bLIcDMqiuj4ypgrSvjp 0qBIoBOPmcLewUWeVrmCB735aqyi1slwXFTQzdXj2A== X-Received: by 2002:a9d:421a:: with SMTP id q26mr6703290ote.255.1541798370528; Fri, 09 Nov 2018 13:19:30 -0800 (PST) MIME-Version: 1.0 References: <20181108041537.39694-1-joel@joelfernandes.org> In-Reply-To: From: Jann Horn Date: Fri, 9 Nov 2018 22:19:03 +0100 Message-ID: Subject: Re: [PATCH v3 resend 1/2] mm: Add an F_SEAL_FUTURE_WRITE seal to memfd To: joel@joelfernandes.org Cc: kernel list , jreck@google.com, John Stultz , Todd Kjos , Greg Kroah-Hartman , Christoph Hellwig , Al Viro , Andrew Morton , Daniel Colascione , Bruce Fields , jlayton@kernel.org, Khalid Aziz , Lei.Yang@windriver.com, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux-MM , marcandre.lureau@redhat.com, Mike Kravetz , minchan@kernel.org, shuah@kernel.org, valdis.kletnieks@vt.edu, Hugh Dickins , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 9, 2018 at 10:06 PM Jann Horn wrote: > On Fri, Nov 9, 2018 at 9:46 PM Joel Fernandes (Google) > wrote: > > Android uses ashmem for sharing memory regions. We are looking forward > > to migrating all usecases of ashmem to memfd so that we can possibly > > remove the ashmem driver in the future from staging while also > > benefiting from using memfd and contributing to it. Note staging drivers > > are also not ABI and generally can be removed at anytime. > > > > One of the main usecases Android has is the ability to create a region > > and mmap it as writeable, then add protection against making any > > "future" writes while keeping the existing already mmap'ed > > writeable-region active. This allows us to implement a usecase where > > receivers of the shared memory buffer can get a read-only view, while > > the sender continues to write to the buffer. > > See CursorWindow documentation in Android for more details: > > https://developer.android.com/reference/android/database/CursorWindow > > > > This usecase cannot be implemented with the existing F_SEAL_WRITE seal. > > To support the usecase, this patch adds a new F_SEAL_FUTURE_WRITE seal > > which prevents any future mmap and write syscalls from succeeding while > > keeping the existing mmap active. > > Please CC linux-api@ on patches like this. If you had done that, I > might have criticized your v1 patch instead of your v3 patch... > > > The following program shows the seal > > working in action: > [...] > > Cc: jreck@google.com > > Cc: john.stultz@linaro.org > > Cc: tkjos@google.com > > Cc: gregkh@linuxfoundation.org > > Cc: hch@infradead.org > > Reviewed-by: John Stultz > > Signed-off-by: Joel Fernandes (Google) > > --- > [...] > > diff --git a/mm/memfd.c b/mm/memfd.c > > index 2bb5e257080e..5ba9804e9515 100644 > > --- a/mm/memfd.c > > +++ b/mm/memfd.c > [...] > > @@ -219,6 +220,25 @@ static int memfd_add_seals(struct file *file, unsigned int seals) > > } > > } > > > > + if ((seals & F_SEAL_FUTURE_WRITE) && > > + !(*file_seals & F_SEAL_FUTURE_WRITE)) { > > + /* > > + * The FUTURE_WRITE seal also prevents growing and shrinking > > + * so we need them to be already set, or requested now. > > + */ > > + int test_seals = (seals | *file_seals) & > > + (F_SEAL_GROW | F_SEAL_SHRINK); > > + > > + if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) { > > + error = -EINVAL; > > + goto unlock; > > + } > > + > > + spin_lock(&file->f_lock); > > + file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE); > > + spin_unlock(&file->f_lock); > > + } > > So you're fiddling around with the file, but not the inode? How are > you preventing code like the following from re-opening the file as > writable? > > $ cat memfd.c > #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > > int main(void) { > int fd = syscall(__NR_memfd_create, "testfd", 0); > if (fd == -1) err(1, "memfd"); > char path[100]; > sprintf(path, "/proc/self/fd/%d", fd); > int fd2 = open(path, O_RDWR); > if (fd2 == -1) err(1, "reopen"); > printf("reopen successful: %d\n", fd2); > } > $ gcc -o memfd memfd.c > $ ./memfd > reopen successful: 4 > $ > > That aside: I wonder whether a better API would be something that > allows you to create a new readonly file descriptor, instead of > fiddling with the writability of an existing fd. My favorite approach would be to forbid open() on memfds, hope that nobody notices the tiny API break, and then add an ioctl for "reopen this memfd with reduced permissions" - but that's just my personal opinion.