Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp962159ybx; Tue, 5 Nov 2019 08:11:31 -0800 (PST) X-Google-Smtp-Source: APXvYqwrJXi6Qsp0TsrAqx1/SiF1MCHHI49r47eMhn3IE4h4+UssbnJgEBKV5jLB+sVMM9f/F9oD X-Received: by 2002:a17:906:6004:: with SMTP id o4mr30164886ejj.107.1572970291206; Tue, 05 Nov 2019 08:11:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572970291; cv=none; d=google.com; s=arc-20160816; b=zjYybAQOC50HtftrCJ/+QrprLya+nZILcanma+B2r1nyEz+f98U4PJzHU/6OCzc/WK kls/ia7mYeKS+kL59J6jfZZVOaywdZ/JNQdp/hUhfjbrry/5Pk8Mq8DRCm9+NU465ac5 Ux444R2fIukxB3LlxRGJisxaVmhi2fjcTuFxg7fM4l6+cNmnkeU6Ut5d3LCVwN/vWVCY xJZuGe/PAt237Z3rcnSdxxqbZXQ2uKZ+Z0ZaUsrPhRFUdL4je+P1Tu0PSj6ti9IyFoOP nYxSjy7xpAFjctUFgAvOiwzUD5jDcMd0C5q+ZRtAnWMFVIo+uqCfbS+GouVQlGItYWnf LgRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YLw5SYrodBEqy2waMxo41K2A0f7ArdzoSUTOLYie6s4=; b=AT3SNSnmDOit0JQFraGJKc8W/CJIBoHD7CuvNoLDcDynvKAusW7aktqVYApdON4OVy /bziCBEUJKyNh8T3wb5E6fC3oLBB7vx9zhW1apJqmtcxxRvfcAQfCmoITeIGnYT1Q2Ci NUY4ONh2pU+l6hber1TG2tMooWyRUGI/6XXVU3dkT74QfQCgvhwJoL8QtV2bSdiOLYkx kx9mVUZJTo64dQipslY6j8Xqt4yxLiThcqzqK3XqBr6BRDBoj0xqWbOYkoyI4hOZwxfU baHChlZV4UqkMiGY4Q1gGC6UpaOdyAOc67Q30ki1+8Qq7GQnDza3OHuv896ttndsw7i8 fJGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=eri7qH+7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si12174542eda.359.2019.11.05.08.11.07; Tue, 05 Nov 2019 08:11:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=eri7qH+7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390007AbfKEQH3 (ORCPT + 99 others); Tue, 5 Nov 2019 11:07:29 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:47005 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389760AbfKEQH3 (ORCPT ); Tue, 5 Nov 2019 11:07:29 -0500 Received: by mail-lj1-f194.google.com with SMTP id e9so9183564ljp.13 for ; Tue, 05 Nov 2019 08:07:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YLw5SYrodBEqy2waMxo41K2A0f7ArdzoSUTOLYie6s4=; b=eri7qH+7uZFLsQ1nBXM7tctm6BOw+ve7hZW/6tQlf9hNm1WjWAPsqiY0Yhh6c8nJ3C Xnn6dPx2b1yQNwdIRtZ0JNE5YnWD9wT4uWdQ88Alt8ix7dhCBHf1+3hKwuNpsBgC0NGc ukdLhq7GYGzfbGDIUwM59OXJAAblz15nAU/hswHpLXqSIMcjqv2fwEBMUCFFkxQbTh6C /Lu8vp0rEgL5fU8oJBcOT/dgw9PjRG+jLqHd2zO7jznoU26UzkHwv9gr6GQOjL28gyt7 uZ8vXn/mCyVxCwOnw56QpWCAoHsMV0n6qF29a/MAE/+msYFQNuy8S+uJKSCQHHYjv0EG m2Xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YLw5SYrodBEqy2waMxo41K2A0f7ArdzoSUTOLYie6s4=; b=SIGfRJjk5xIXZertS3OaMGBR6Yrt6SaxCuQNkm4G/lJ0J9L6OKp/iFd3B6l1/ZvZ0E 5LESeqdgideqvPbLK5V+K38M/QTgLwWRg7qpgNTc5qEaSDGkshu8OBsXArkZLajmE6QM HSMonvCsxCpKMCPb3v3e/9+zCMvJvjvhaFeusbDoLpnfC7B0UpQcTC5tPJ24vAwZi30R JYPqyy9b6Jtc1DvIdDkCzmV4wJJE95nqOye1TAoyqsQeiyl1kSjjXMJQvcm0FvOKF7AA 8KGTEQjLnOa+T77424A8wDfJkMY2VBex5pzjmX3FcX25midNa5U55DmlWWLWjq92FuMr RBAw== X-Gm-Message-State: APjAAAVuZ8NO8cHEgzfm08qZbqTE19vBUOaGyY88BXYXQvDUlXjJOqbn 7QJ8zkQLz3KnKml2FR4keRAT9/iALOxnaeDB2EwE0w== X-Received: by 2002:a2e:81c6:: with SMTP id s6mr1063081ljg.61.1572970045838; Tue, 05 Nov 2019 08:07:25 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> In-Reply-To: From: Daniel Colascione Date: Tue, 5 Nov 2019 08:06:49 -0800 Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Andy Lutomirski Cc: Mike Rapoport , linux-kernel , Andrea Arcangeli , Andrew Morton , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 5, 2019 at 8:00 AM Andy Lutomirski wrote: > > On Tue, Nov 5, 2019 at 7:55 AM Daniel Colascione wrote: > > > > On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport wrote: > > > > > > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file > > > descriptor table from the read() implementation of uffd, which may have > > > security implications for unprivileged use of the userfaultfd. > > > > > > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have > > > CAP_SYS_PTRACE. > > > > Thanks. But shouldn't we be doing the capability check at > > userfaultfd(2) time (when we do the other permission checks), not > > later, in the API ioctl? > > The ioctl seems reasonable to me. In particular, if there is anyone > who creates a userfaultfd as root and then drop permissions, a later > ioctl could unexpectedly enable FORK. Sure, but the same argument applies to all the other permission checks that we do at open time, not at ioctl time. For better or for worse, the DAC-ish model used in most places is that access checks happen at file object creation time and anyone who has the FD can perform those operations later. Confusing the model by doing *some* permission checks at open time and *some* permission checks at usage time makes the system harder to understand.