Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1021240ybx; Tue, 5 Nov 2019 09:03:49 -0800 (PST) X-Google-Smtp-Source: APXvYqwi+LovvFOOWDiNPTjJUVM8pY1PgWf0znSlyTMArA+hpcLxjeoBBLn3MNREuNNo6MWanjim X-Received: by 2002:a50:b2c4:: with SMTP id p62mr34833974edd.128.1572973429600; Tue, 05 Nov 2019 09:03:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572973429; cv=none; d=google.com; s=arc-20160816; b=JfVxc5mV1STz6xkIzkLfSHLFXoGUGu8IWcQoog/IQJeoAhAinpGtA7aEW4y9/+vJ4Z y65AZcoz8OeaFVsrGYkc1fskM0nFElU40ZG/gmO+qFLeXdQBy5Ijx15QzMqwoIXQNSZd Omntcs6HsfMWNv3jn8AA6b3iIjugfJQOhLBbSoaW3Kav/7casVdqFDFQ9zzWIIkUD3on 3NWKBkTZjVhEEv6cdVJEvVK5b7DI2T/a+Ugt3bkS0x6260JmOQj60bdmUXqqtc33vWlB +nud27nBH5m79VGZZrWcpunNsMftggbaaw4YCGD2PMfXdUYyblTiwezFyNyjFL7RYr/u HPxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3LbJPI0FDJ0eEH2iVM7vPGyU9geutYVr1qL8gmhIfHE=; b=Hje26f5S2JrusBWNUVSO6saJsRuBruCkuYdhdi+UIhnJkYQ64qFztM9czskgujXuky c9a+FL4bE7gEqTPvHzO7O2oZxOAv7CzvZhf50SKzoZXhzUL0Ve1XwyceHlvQBHg8cOdC ehltQ38gqZ7cl3vLfK+V3Dyd/5Z1UcTFsoFYyPa/idn4Oc0TWSHBDSG2gDzEVi8pR5eW 1Nb7PkVENZjF4nXRshjT5AgdxcgGziY0sQaFpP5W+OpNxRlCXHbyiLxitT7ylF7M4WGv egqFVttSYYbObsWgZXh4KHv+SMBVAaXDOiySlrGMEq494kml5FqvzIeQSqEa9KfV119J eYQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QDlUNpXd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id dc16si6981772ejb.192.2019.11.05.09.03.25; Tue, 05 Nov 2019 09:03:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QDlUNpXd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389105AbfKERCt (ORCPT + 99 others); Tue, 5 Nov 2019 12:02:49 -0500 Received: from mail-lf1-f67.google.com ([209.85.167.67]:41314 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387789AbfKERCs (ORCPT ); Tue, 5 Nov 2019 12:02:48 -0500 Received: by mail-lf1-f67.google.com with SMTP id j14so15684555lfb.8 for ; Tue, 05 Nov 2019 09:02:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3LbJPI0FDJ0eEH2iVM7vPGyU9geutYVr1qL8gmhIfHE=; b=QDlUNpXdd3Dyvqcp0bF9C4VAE6LpyEAfN3KCcFBDOBEqH3n8L0ZpW+QnevnXgO+jYu Qk8o1QZ5B54+yqYQT3t1wn/SYX8uoo4FtQ1RoMpU13Ly74nWaZ0DpB6c+SSSrHAm2jOf zyStjxIvVVyjTHDy76iWx/Fk+mv4DLTBXicRDuPGAVTUhNzNrCPpjPK7KNIliqLxmqiB 7T85gjDMOw7LSetpqnnY8SLtjNFCld4SIVi8OEtT4kdKKV7JOiysKXHmaTOJOxh+RA7i sp0okHC4thvaKKudFX+HbfOenxmYBJ8YHGdTvAjMhkrw0vRQ1VRkfjrtXACS9VQBneMH 4yMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LbJPI0FDJ0eEH2iVM7vPGyU9geutYVr1qL8gmhIfHE=; b=ovOnjaiGWB9Fl/M+i9Fk1iTpsjXB3u/Sd9GM72s03mzPh2QK7KEel5OHbKxf35C3UP 8pMs7PBSNCIKICNQf1dXUIHB8WvteMjES6+oCunM+Y95f2jjikMWEq/j19u36dTnBtvr 6bGmjQr/4I33Lh8LRJRtllo1XYM00/7S0QqiC+SZ3m9qsAxkdYZOrMs48KNmdBksbVe5 hEAYd1ktJZmCrcnAzCBdyVlSeXHQc2+PkkY/uuZHFtk8Oj1wAG4japnoupak3MHyzPiG vK1G8O78MhU0MIP2IsRf545E/I4E4eBCe5dakoo9LbckJfHCQwZotwbYFjmhhUTDzBu6 0VEA== X-Gm-Message-State: APjAAAVOisvDc+/+e6GdVC5fC+pbFcvFw4U8Sx51IlY+XNWFuuc5R3bB kYIZUsVhHtfCNmaoqOS+EIwMwK6o5Q7OashQhjLh/A== X-Received: by 2002:a19:8582:: with SMTP id h124mr9689722lfd.64.1572973365922; Tue, 05 Nov 2019 09:02:45 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> <20191105163316.GI30717@redhat.com> <20191105165556.GK30717@redhat.com> In-Reply-To: <20191105165556.GK30717@redhat.com> From: Daniel Colascione Date: Tue, 5 Nov 2019 09:02:09 -0800 Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Andrea Arcangeli Cc: Andy Lutomirski , Mike Rapoport , linux-kernel , Andrew Morton , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 5, 2019 at 8:56 AM Andrea Arcangeli wrote: > > On Tue, Nov 05, 2019 at 08:39:26AM -0800, Daniel Colascione wrote: > > I'm not suggesting that we fail userfaultfd(2) without CAP_SYS_PTRACE. > > That would, as you point out, break things. I'm talking about > > recording *whether* we had CAP_SYS_PTRACE in an internal flag in the > > uffd context when we create the thing --- and then, at ioctl time, > > checking that flag, not the caller's CAP_SYS_PTRACE, to see whether > > UFFD_FEATURE_EVENT_FORK should be made available. This way, the > > security check hinges on whether the caller *at create time* was > > privileged. > > Until now it wasn't clear to me you still wanted to do the permission > check in UFFDIO_API time, and you only intended to move the > "measurement" of the capability to the syscall. > > So you're suggesting to add more kernel complexity to code pending for > removal to achieve a theoretically more pure solution in the band-aid > required to defer the removal of the posix-breaking read > implementation of the uffd fork feature? And you're suggesting making a security check work weirdly unlike most other security checks because you hope it'll get removed one day? Temporary solutions aren't, and if something goes into the kernel at all, it's worth getting right. The general rule is that access checks happen at open time. The kernel has already been bitten by UFFD exempting itself from the normal rules (e.g., the read(2)-makes-a-file-descriptor thing) in the name of expediency. There shouldn't be any more exceptions.