Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2840287ybp; Sat, 12 Oct 2019 18:45:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwFKR6J+TdPwTj5KMejp+niwya0brTLvHh7GaMc6nrMaavfyuxWe7kw80JwCK6EHrjIrRAT X-Received: by 2002:a17:906:3946:: with SMTP id g6mr21535455eje.49.1570931145248; Sat, 12 Oct 2019 18:45:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570931145; cv=none; d=google.com; s=arc-20160816; b=uczcFDSap2bMnrgGlFVaZO/5yzkKtOhZVJdepbfn0z5dxEHZawrVCLJmA9VgKUy1RR Qjoes1dTfl3j5nNp9S1q3Xr8uKKNXwATo1R13zmPBNyi2e6Tndmwym0MDoFqD/NRnXWn ZoFZFhCqQCphShIz0iY30tY6nLnjg/qL1g24NrRPSXswdnBnXgkkbIAf4QJ8FVlg16yj vaD+7WFa2vkQJBD3ee4YMsHFf+rNifmljnX48QL19kOAhFvGcUbaUUcJrQ8kZ7K5VKPW iHRNXhY6lh3SRPHT5s9dBFiyhPdpsMGftoA4BG6Uc7mQ1oYhFvsMCZ94tfT1qKXgsEIx 3ygA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/Jy22ng6gElVkC1n97JPqljcwN2SsuVr+9pT2+PW3kM=; b=tMBTaC0pr6g+ENiHjj/fRvuOuLslAvoznLW9zLZ6RLE8m6rP5Icw5V1pox9PYGByd2 skzS83uiFMq0CSEKUhVsbMThIqFWGAJ6uPTnfw3W0ZdeTMzsspHOohdF+ly8AZcLhdnd qDWXJ67Pwk2QA0aguc8FAS3M+j829ozkHn3uAbKQiTf/zisoYrneItTYOSTLnDWLhXhq V9mCr0j/6w3/k0BwDtm4WC/Gdqqw57GswKA9zdqcJ2Ci+YG+n30eqp59rJgdNZM6fcyc 0fXwKFy4Ig4LZVVE8iTeL1sbzxjV2VlW1v6FTh9OLCKK1f4Zlm7NdXeFbuLqF0ruMSaY 8QOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hksf35rz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f26si8578131eji.55.2019.10.12.18.44.46; Sat, 12 Oct 2019 18:45:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hksf35rz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727606AbfJMBjh (ORCPT + 99 others); Sat, 12 Oct 2019 21:39:37 -0400 Received: from mail-vk1-f196.google.com ([209.85.221.196]:44766 "EHLO mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727492AbfJMBjg (ORCPT ); Sat, 12 Oct 2019 21:39:36 -0400 Received: by mail-vk1-f196.google.com with SMTP id j21so2879446vki.11 for ; Sat, 12 Oct 2019 18:39:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Jy22ng6gElVkC1n97JPqljcwN2SsuVr+9pT2+PW3kM=; b=hksf35rz1UBBepOScmnh04dme9w8o5PWT+X3OHMGbm0Phggg5ugSKGhSY4/1Lexg3R Vs7U4mS6IO4LIcC9lUSgwvVH2QAaidaf+gjcO3lSLxoU8lTER/I6gQyorafxo6YTx+To 2IagaGKlgphkiUBaCU7NXaK6X954aJsyKcOFV9uWgHzkGqa+58Nsa1YkyqdQIfeFAsqC BcgkoXyJu0H/8vrjB8Sz+9ReSDBbG2fNsTO9LDz/HO9shUaFvsQ+Fc23yapN6ayMDi4E hdDXLPRxqX/IXcKxXJGi2MemG/mpYhhsCm6z34ux18kA/PgBhRHqjiRu3byS4VDpZOjv xh/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Jy22ng6gElVkC1n97JPqljcwN2SsuVr+9pT2+PW3kM=; b=L4KmFhv7EipKw2mDT1KwDQ6pHG6hm1rTHxRvwd641QgAcA+k62rdBhpFr0e46YylPL 8cZjf+U+HMzCPn+WlMTdr3Ehi3w7DpvTdzbWwv2W7tuImy2i+5oNPoLAKl4qkdv2v720 tSPb15E2o4b0t4W2+lWLh0Y3Ui+YVDNquogqJQkRrF1Iv3ZWXwKQwRKfvrs+jiKp2qlK 9ph+RFiXpXnYZpHMv7B0EBlKvmsb3Co+shD9UtxTOJF1TMrd7EtmQZtrBKes6+LcKMDK 0LCTZI48erV8JIKPzfWCsgoqtol4S9udn1ExeByI58hlznuIQLqWg00Gy0oBH4jTtkOv BqWA== X-Gm-Message-State: APjAAAWLHefIHPj8h6jDWvh0ilvcKazNLXPKNp/yrd8DK6OQgWE9vuF4 EWnr0Ht+B3DiKmnYM50FUO5KagSLa+IiT/Bi1b2Aww== X-Received: by 2002:a1f:1ad4:: with SMTP id a203mr12851304vka.81.1570930774956; Sat, 12 Oct 2019 18:39:34 -0700 (PDT) MIME-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-4-dancol@google.com> In-Reply-To: From: Daniel Colascione Date: Sat, 12 Oct 2019 18:38:58 -0700 Message-ID: Subject: Re: [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API. To: Andy Lutomirski Cc: Linus Torvalds , Jann Horn , Andrea Arcangeli , Pavel Emelyanov , Linux API , LKML , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Tim Murray Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 12, 2019 at 6:14 PM Andy Lutomirski wrote: > .. > > > But maybe we can go further: let's separate authentication and > > authorization, as we do in other LSM hooks. Let's split my > > inode_init_security_anon into two hooks, inode_init_security_anon and > > inode_create_anon. We'd define the former to just initialize the file > > object's security information --- in the SELinux case, figuring out > > its class and SID --- and define the latter to answer the yes/no > > question of whether a particular anonymous inode creation should be > > allowed. Normally, anon_inode_getfile2() would just call both hooks. > > We'd add another anon_inode_getfd flag, ANON_INODE_SKIP_AUTHORIZATION > > or something, that would tell anon_inode_getfile2() to skip calling > > the authorization hook, effectively making the creation always > > succeed. We can then make the UFFD code pass > > ANON_INODE_SKIP_AUTHORIZATION when it's creating a file object in the > > fork child while creating UFFD_EVENT_FORK messages. > > That sounds like an improvement. Or maybe just teach SELinux that > this particular fd creation is actually making an anon_inode that is a > child of an existing anon inode and that the context should be copied > or whatever SELinux wants to do. Like this, maybe: > > static int resolve_userfault_fork(struct userfaultfd_ctx *ctx, > struct userfaultfd_ctx *new, > struct uffd_msg *msg) > { > int fd; > > Change this: > > fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, new, > O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS)); > > to something like: > > fd = anon_inode_make_child_fd(..., ctx->inode, ...); > > where ctx->inode is the one context's inode. Yeah. I figured we could just add a special-purpose hook for this case. Having a special hook for this one case feels ugly though, and at copy_mm time, we don't have a PID for the new child yet --- I don't know whether LSMs would care about that. But maybe this is one of those "doctor, it hurts when I do this!" situations and this child process difficulty is just a hint that some other design might work better. > Now that you've pointed this mechanism out, it is utterly and > completely broken and should be removed from the kernel outright or at > least severely restricted. A .read implementation MUST NOT ACT ON THE > CALLING TASK. Ever. Just imagine the effect of passing a userfaultfd > as stdin to a setuid program. > > So I think the right solution might be to attempt to *remove* > UFFD_EVENT_FORK. Maybe the solution is to say that, unless the > creator of a userfaultfd() has global CAP_SYS_ADMIN, then it cannot > use UFFD_FEATURE_EVENT_FORK) and print a warning (once) when > UFFD_FEATURE_EVENT_FORK is allowed. And, after some suitable > deprecation period, just remove it. If it's genuinely useful, it > needs an entirely new API based on ioctl() or a syscall. Or even > recvmsg() :) IMHO, userfaultfd should have been a datagram socket from the start. As you point out, it's a good fit for the UFFD protocol, which involves FD passing and a fixed message size. > And UFFD_SECURE should just become automatic, since you don't have a > problem any more. :-p Agreed. I'll wait to hear what everyone else has to say.