Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2717631ybp; Sat, 12 Oct 2019 16:14:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqywuCSc6Iuhm5RyT+pIi/WF99HlTRbPSfmPwF8HfEB3rKLHc6T4uymHnhjcrTr+4LdyhtnK X-Received: by 2002:a17:906:6a4a:: with SMTP id n10mr21093908ejs.23.1570922078219; Sat, 12 Oct 2019 16:14:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570922078; cv=none; d=google.com; s=arc-20160816; b=gvmI1cMTRZNAv8Vi68r/X7XyYb6KtGL6QaPJuYa6VhecA6j4KKrGbcP3TEsVeXYm+e BLPjZ4Y+EaDI6dtB4Z2pdKfy4Qbt9aCg1cZkkILfySCkbrM3hBr10zalCRlMc1359+VB UqpcZqGASqpGn0sKWHYU524y99k4G94YoSg0uOs3y35nuFqIiHWQ8LbXJ+XLQSzzHI4D rrGAfzlqyUN9s1RXG1RjwKdgcYGxZylXh1cI7OnB7YklReVR9FDZzayDR596jKai5LP4 ET5ls3a2N75z494qixEckfPKi7Wg6w0Nqz+K6JAtu2CVBtNgxdYC3S60++xerXHc6TiX Ygxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ri8mK2UA2MWfRjBQag39Xxc5rSmV0oc01o0g2NSGS78=; b=bbKbER/OJ9+2T9gZqQ4cc3OTzGZF8RqfKpUHztqBwCcW3GrnYhGwTycrgihRM+gKbx PNrJ34mnRapVFapB6kR4IV8Bpg1yGalS2RgE1Nzrj9oVRprQ2HZQT7o/hYvkuLs88cAq olEyVcBMmbuloQGiCp2uqNoFk8lhwcTMAILpxKfc5hDjg4Y1z0qldPiMZGZ0gVzoasok KaLyTtH4Z1xXzxahMygCWM+DvHW5OnXnfNBwUKPT/3n4mqx/lW2QfIq6noNhpNkbyQT3 EruOg5e2vWpUZPz8FDJQ54ZZi32AGm/PDWw8CRqVdufxsO2kefE30VMMtByvRpveVKp1 9ZRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ToLqH5oB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11si7900138ejj.11.2019.10.12.16.14.14; Sat, 12 Oct 2019 16:14:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ToLqH5oB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727953AbfJLXKa (ORCPT + 99 others); Sat, 12 Oct 2019 19:10:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:49028 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727751AbfJLXK3 (ORCPT ); Sat, 12 Oct 2019 19:10:29 -0400 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F16EA21850 for ; Sat, 12 Oct 2019 23:10:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570921829; bh=pj1lahYRxdOI7yK2NaSV1oz91qxQgkYl173+fPCkuTQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ToLqH5oB9/3AEQRZ8q4dIYOZpjVOYIdrCsbcApF+aH8sFNXIaHKvs7RVa3t3LGKE3 1lRiyjwghxsWx7gaZQZyXeCzLnsPthXVyDgaZv0qnnlX3qhmup23BPLzyu67SMJYs4 AuBkuHS6Vm/qbVtO7LpEDMqSAHw0duh4NvT7Vp5k= Received: by mail-wm1-f50.google.com with SMTP id p7so13612244wmp.4 for ; Sat, 12 Oct 2019 16:10:28 -0700 (PDT) X-Gm-Message-State: APjAAAXWhGfYbr8K+tJT1kYPTu/gYtrbQJHPnTBLPTNUsGvXgnb7/8Gi ssRKjSJZN2AkcztdKXh4nptd2A7kS+Ma6xIIxQCYbg== X-Received: by 2002:a1c:a556:: with SMTP id o83mr9383160wme.0.1570921827409; Sat, 12 Oct 2019 16:10:27 -0700 (PDT) MIME-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-4-dancol@google.com> In-Reply-To: <20191012191602.45649-4-dancol@google.com> From: Andy Lutomirski Date: Sat, 12 Oct 2019 16:10:16 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API. To: Daniel Colascione Cc: Linux API , LKML , lokeshgidra@google.com, Nick Kralevich , nosh@google.com, Tim Murray Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 12, 2019 at 12:16 PM Daniel Colascione wrote: > > The new secure flag makes userfaultfd use a new "secure" anonymous > file object instead of the default one, letting security modules > supervise userfaultfd use. > > Requiring that users pass a new flag lets us avoid changing the > semantics for existing callers. Is there any good reason not to make this be the default? The only downside I can see is that it would increase the memory usage of userfaultfd(), but that doesn't seem like such a big deal. A lighter-weight alternative would be to have a single inode shared by all userfaultfd instances, which would require a somewhat different internal anon_inode API. In any event, I don't think that "make me visible to SELinux" should be a choice that user code makes. --Andy