Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp950108ybx; Tue, 5 Nov 2019 08:02:21 -0800 (PST) X-Google-Smtp-Source: APXvYqwvEw78LkQfbunbk/a8+HwpYzs2+R6Op8TfzkmI5XKAVEy7m+KY9k0yql29Nouobo1V8C48 X-Received: by 2002:a50:fa4a:: with SMTP id c10mr17969858edq.51.1572969741617; Tue, 05 Nov 2019 08:02:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572969741; cv=none; d=google.com; s=arc-20160816; b=NVrSXtTvinyDcD/3evfHq/02f3ndO1MCDQEd3A62QvAwpDo0i/dBR32zXS7c0hrtAh 7isELAL8T3dF5xSFtbrA3qQ4+tkQFZEt6f7fLCQ6UHcBDhtt37UM1aSDGsOw2dTmu9vb rw43GKKZ+F573sdIaXtUgVXcUNQ9MhNvFopGayWD+PaemT8+Vs7WSPW1wCInKwWSsMTB oLW3VYOwlBrl/NeniVRGbzAS+sKfQcvtvIGoesM9WnNVLWIgx4u/ct52wkJOh6mVzhVS 5mObAhwVXR9IVXM1m6kpPX1yDQk7S54/ElVK8VbWF5evF4OpG8VfjQLgH7atOpUiCfBg xpTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=7UdOgIZBbxEXvhyaIeh0b/CYWwSYfHQyqe+OtxBAJtc=; b=PNCxwAoWB5jZkyYYPCk13B59Z8RozgdBS1ISC3Bh3PMwhdiIZWJptKD3+A3LYLqIPX SYrfa0mdeD9N/QlvmAm4ncc0+j3+9N20qxzFT7EylE9BNcAxUzDmiLC+GSBqdWHgxuiz Xjst5CPyncEb9ADWJ0bT2Ag9Hrq+ve7KWzya/VO1Bd14Gtz8gDpnpsKa2nVofTK1EATQ XzTAioRoiCpUU8qi7xT83PmPmaAM1yUpHh9yP3RV3JwdtWpSsr+zfi+djLPvAfYXjQ1f LTsYBA5c9FfK/yXCjjOhEn2g9tiTipa+GhdToE9XvZ8QD25Ab6T2MK4dxKT8IJWWQfp+ 767A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=la98BUT4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g90si10731904edd.329.2019.11.05.08.01.57; Tue, 05 Nov 2019 08:02:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=la98BUT4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390073AbfKEQAk (ORCPT + 99 others); Tue, 5 Nov 2019 11:00:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:51806 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389571AbfKEQAk (ORCPT ); Tue, 5 Nov 2019 11:00:40 -0500 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 206B0217F5 for ; Tue, 5 Nov 2019 16:00:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572969639; bh=q2A2uMxzadSGRcZIaYT5uCotN7hZ7KNQChxEY5lqBfc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=la98BUT48pfvW+DHwcuadG5iZNz4+oR5/MwjwcYS/q+eLbsi2eyOW1pVLwxPK46Sf BFy0EZhUvBH7RKyVdyf2RuYqHz7s6c22dmVDH/407wHkTmazDieQwp7xJlGSdYwg+g 3s796AOR/nqirBqmdk5eAT4jg0/8Alxjmio4Lgpc= Received: by mail-wr1-f43.google.com with SMTP id j15so1365517wrw.5 for ; Tue, 05 Nov 2019 08:00:39 -0800 (PST) X-Gm-Message-State: APjAAAWA7qAib00U5S9dMnKMjZ1uV62MpqzwLMQtGi6P4hZP3Dx08s4Q QS/C14mSgEWBCb+Y/PrubMHf2b7UbzusmWqKHDEPhg== X-Received: by 2002:a5d:51c2:: with SMTP id n2mr28174168wrv.149.1572969637572; Tue, 05 Nov 2019 08:00:37 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> In-Reply-To: From: Andy Lutomirski Date: Tue, 5 Nov 2019 08:00:26 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Daniel Colascione Cc: Mike Rapoport , linux-kernel , Andrea Arcangeli , Andrew Morton , Andy Lutomirski , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 5, 2019 at 7:55 AM Daniel Colascione wrote: > > On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport wrote: > > > > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file > > descriptor table from the read() implementation of uffd, which may have > > security implications for unprivileged use of the userfaultfd. > > > > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have > > CAP_SYS_PTRACE. > > Thanks. But shouldn't we be doing the capability check at > userfaultfd(2) time (when we do the other permission checks), not > later, in the API ioctl? The ioctl seems reasonable to me. In particular, if there is anyone who creates a userfaultfd as root and then drop permissions, a later ioctl could unexpectedly enable FORK. This assumes that the code in question is only reachable through ioctl() and not write().