Received: by 2002:a17:90a:8504:0:0:0:0 with SMTP id l4csp2235918pjn; Thu, 24 Oct 2019 06:48:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqywqMGx51WETUZX1X5zNeP8WK+xuzpz8FpPV8MD5nOrRJ0c8Xaxk+SlKX0A+Yr1o78IXcbO X-Received: by 2002:aa7:d3c4:: with SMTP id o4mr15923808edr.194.1571924922352; Thu, 24 Oct 2019 06:48:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571924922; cv=none; d=google.com; s=arc-20160816; b=G32IwzCwJpSpo2nO6GlVWuTm/JSADBFeUOWyp/5ROY/KZadig8z4eCCnbTu8+xPIu2 pY2HmBUwZtzZwpQV23aDETPguWVZE9P+mXTnM1JnsrJVQYjmlek2GvNbNLn3WPyACp+m qDBEVY8y3LZ9nNFoD/ltgogAbIANjK5ObsYHcucvenGMi/pv1cWF2ezOKwlUSgI1T2Bv 5LcYAf3ssJG/AKHhfOJHyiBGPkjL8odxXqUuO3VzshBgY/6AWTptGxyAUtTguS6wDK6S TadbqoGifjh3lLJedN/6x0Pi4J8WzlojHs7Gharqc0rSBV4z8asSgApoA3HkxUuwGM71 6tQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qCIh34Dy46Ow5z7pzO2iDWZrFVZMl/gFR23P1A0VQn4=; b=eFMMJ9oWffdt9YLuVKnAJt78FGdmjSzAVhDvPWAH0fgbm1jQYFhcRduklWDNu2RYI2 Xle2fFBd1ooE3h3huFsHza/tTc1qeL4AaWOxXeMMHhzJQIAmU1EkUxZyvzIPZ/5BhqhV DdsaRPCf7jBnVeXTSStRGAFwSP9rnzVN3vvZEznm4q2rOjTyF7QEcj78B7IAuqC5SH64 afrDRbuASVE0Yhl9v5Jk6h0/iRloRswE6IswYlvjRaAz1L/GaW6a8E+Xo9iXchn7VaEA QAuL8Pab52OEKj5pQja4kqYNgWl7TRjlIuCdwbA7uKUL5XX1zWevBo+ZBLVW8zzFmNYT 6dIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N30U1gto; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a24si7533956eda.446.2019.10.24.06.48.15; Thu, 24 Oct 2019 06:48:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N30U1gto; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390328AbfJWTVc (ORCPT + 99 others); Wed, 23 Oct 2019 15:21:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:34002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732686AbfJWTVc (ORCPT ); Wed, 23 Oct 2019 15:21:32 -0400 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5659B21A4A for ; Wed, 23 Oct 2019 19:21:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571858491; bh=eA+ZT4QHat2+EIWy0C1wo1arzUq8iBFuHoCMVRtUvt8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=N30U1gto6Y/YW/X1kjdHTf6mLeW4+VibfbIFM42pv5YSs8asbTGcNaJWGqyX25TxZ z5gpw2lQn2AOn3p/diZj3/f2Oz28XCAKU3IjBQBjW9vLWlYnblHW6a82xQHkMXk/Ta DByiMu15BSt/Z7StrjbIRoYhSWZ8+32agPiSV8Js= Received: by mail-wr1-f49.google.com with SMTP id r1so13537992wrs.9 for ; Wed, 23 Oct 2019 12:21:31 -0700 (PDT) X-Gm-Message-State: APjAAAUZYLfdNSaZ8+CGB1INZ3jzu33026z80yP536Tm9ZnRYM4aQDRm Eq4x1gzaNMyT5KydpGdIFep3Y/y+TXYpgWgkpY9Tig== X-Received: by 2002:a05:6000:1288:: with SMTP id f8mr266958wrx.111.1571858489805; Wed, 23 Oct 2019 12:21:29 -0700 (PDT) MIME-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> <20191012191602.45649-4-dancol@google.com> <20191023190959.GA9902@redhat.com> In-Reply-To: <20191023190959.GA9902@redhat.com> From: Andy Lutomirski Date: Wed, 23 Oct 2019 12:21:18 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API. To: Andrea Arcangeli Cc: Andy Lutomirski , Jann Horn , Daniel Colascione , Linus Torvalds , Pavel Emelyanov , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Tim Murray , Mike Rapoport , Linux API , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 23, 2019 at 12:10 PM Andrea Arcangeli wrote: > > Hello, > > On Sat, Oct 12, 2019 at 06:14:23PM -0700, Andy Lutomirski wrote: > > [adding more people because this is going to be an ABI break, sigh] > > That wouldn't break the ABI, no more than when if you boot a kernel > built with CONFIG_USERFAULTFD=n. > > All non-cooperative features can be removed any time in a backwards > compatible way, the only precaution is to mark their feature bits as > reserved so they can't be reused for something else later. > > > least severely restricted. A .read implementation MUST NOT ACT ON THE > > CALLING TASK. Ever. Just imagine the effect of passing a userfaultfd > > as stdin to a setuid program. > > With UFFD_EVENT_FORK, the newly created uffd that controls the child, > is not passed to the parent nor to the child. Instead it's passed to > the CRIU monitor only, which has to be already running as root and is > fully trusted and acts a hypervisor (despite there is no hypervisor). > > By the time execve runs and any suid bit in the execve'd inode becomes > relevant, well before the new userland executable code can run, the > kernel throws away the "old_mm" controlled by any uffd and all > attached uffds are released as well. > > All I found is your "A .read implementation MUST NOT ACT ON THE > CALLING TASK" as an explanation that something is broken but I need > further clarification. There are two things going on here. 1. Daniel wants to add LSM labels to userfaultfd objects. This seems reasonable to me. The question, as I understand it, is: who is the subject that creates a uffd referring to a forked child? I'm sure this is solvable in any number of straightforward ways, but I think it's less important than: 2. The existing ABI is busted independently of #1. Suppose you call userfaultfd to get a userfaultfd and enable UFFD_FEATURE_EVENT_FORK. Then you do: $ sudo <&[userfaultfd number] Sudo will read it and get a new fd unexpectedly added to its fd table. It's worse if SCM_RIGHTS is involved. So I think we either need to declare that UFFD_FEATURE_EVENT_FORK is only usable by global root or we need to remove it and maybe re-add it in some other form. --Andy