Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp944324ybx; Tue, 5 Nov 2019 07:57:11 -0800 (PST) X-Google-Smtp-Source: APXvYqxV26cm3jGQsuBO0lKyUMbjqiiqvxZzepFeOh6or4AQvwBm1hnByDwCELsooGwjLo+5/TJS X-Received: by 2002:a17:906:3490:: with SMTP id g16mr2062939ejb.189.1572969430946; Tue, 05 Nov 2019 07:57:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572969430; cv=none; d=google.com; s=arc-20160816; b=DWz6txTyfeOOAk2/Sv2HzAa91IMn69G1jf+w9oqD4xuAFSvDWUXBcObtvXktBsRF+o +Fuone2HM9MaUIwpnvTBX3KzL1pPzx9lPaD+rI+0o1hKjg3NZCtMxS34H0f/VvHx+jUO USr9GzU47sjQOql9CyEUFAqojTezrDXpSE44BeHdqfrwqkpYCaAIZOdXlJWeC+0GnqYL GhPZQ2Cuh5QmaAlSWulGSq3D/nJM6F5iiZrdqhJgQoFIQlBZYzHrh3MpqDhXoMuDpa5F gNUxhNhsPdAmMqGp2ULatWGNjmf3c08tY+5fd93CoBUanWmYFECQmZJSq5MzIFzj06MA 5jSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=JBjPVawkw1D9alty2gxLh6X6OcB+iTnvmGu5mIHwLJg=; b=ovr7oMxOW6jqS5cOaU5USgYuF23seeJyGpqie1yOcV6JGXXddqLQnEMnlBC+KF6n7l cuvBFSipBE+t0W0zcx7pvfSC7REXLffA7DIYGsWwb2YzWY75fpf0wZxpWzQfw7ErRL1Y IdQ7RdtWljELtFBx6fJ9mTH+fZu024Pl1LvvoWCF23H9aIPS6BPqkRpxLgw7qGJXnCbj ZjH07Dku7DCHtqSXGIphgqi8VTz2+4gzPLC9pWoqktg6SfJbAFVT3p5bfCHZDeIq4MKw uJRSXLQ1jptBv79Ap6+qw37z6G7zMMv7S1tWZHNI0jkraRp83AKnJ304JdInOtGUzT/D J//g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=uv+lqTeL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1si10103827edj.354.2019.11.05.07.56.47; Tue, 05 Nov 2019 07:57:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=uv+lqTeL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389954AbfKEPz4 (ORCPT + 99 others); Tue, 5 Nov 2019 10:55:56 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45116 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389096AbfKEPz4 (ORCPT ); Tue, 5 Nov 2019 10:55:56 -0500 Received: by mail-lj1-f195.google.com with SMTP id n21so8819127ljg.12 for ; Tue, 05 Nov 2019 07:55:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JBjPVawkw1D9alty2gxLh6X6OcB+iTnvmGu5mIHwLJg=; b=uv+lqTeLWQdQa3Az+claLZ2Why5fQC8C3uqj/IVPZrAu/WNR4AVwgyjksYefYB//Lb 6MQfsmN9eqwJC8gCdiVTJqA6uNqBe3y3dmPqF2me9g9Jg33v8hzZBWCT0tt+bHnA8HIk almprJnYwnBhBEVLwEWJtGqpKDYAKJfmY3cssi4VAasH8tZfn/UgUFxJyhyVkwD0hVwX bUskZyfPEsz8sxqVqdaGQ0g7EVvRetUYPr0XpAxLBuWk2VppC53JYQ4cvvyw/Tk32c3g Y48KJDS8SIgYst++jQrQDEExvG07MbUpzJPdRNXfXVIYCsNtIBzk+7qIeQIMKt5h1aU5 x0/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JBjPVawkw1D9alty2gxLh6X6OcB+iTnvmGu5mIHwLJg=; b=sE5Hdr7nqhu6A8n88I5YXJmd3hHfN6QN04faZT3o5TnG3RXyOOkFlVcoJGoiYfP8jZ EnCl4HsULdWm2f3/Z1NBz9nui94YfxirKBeJp6c8c/i8IKe73/s8aITomZ+D4MvP+gXR VbnxJiIHJpUZQ/H5gv2V/3kToJOSOprR0zNFQLhf6PE98VLqsVPLsHxPdED4ZZJNZJWB Xgh6NID8t3QaiVE/f9kGmRq0v8OKOE0VBynoj4IimdSTUvvmmVN7zILlGSaFtds3uZ5D bRC1LvAIj3KY8zc1l2CcuVpU6wcLm6RieMs4RMpdaV0tdzh4a+CG6cdXgKfhE6RF9+j1 7pXA== X-Gm-Message-State: APjAAAXv1/Umlv7jgHyEjzT2ICz/f0l4woDp8HWXy6LIHibCQZ4tajaQ T6wjtclxfJwUCPodWJmbHLMVYJyyUOiRiPxMpG8lCEWPAo0= X-Received: by 2002:a2e:b4aa:: with SMTP id q10mr19425669ljm.250.1572969353779; Tue, 05 Nov 2019 07:55:53 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> In-Reply-To: <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> From: Daniel Colascione Date: Tue, 5 Nov 2019 07:55:17 -0800 Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Mike Rapoport Cc: linux-kernel , Andrea Arcangeli , Andrew Morton , Andy Lutomirski , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport wrote: > > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file > descriptor table from the read() implementation of uffd, which may have > security implications for unprivileged use of the userfaultfd. > > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have > CAP_SYS_PTRACE. Thanks. But shouldn't we be doing the capability check at userfaultfd(2) time (when we do the other permission checks), not later, in the API ioctl?