Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1312005ybx; Tue, 5 Nov 2019 14:03:01 -0800 (PST) X-Google-Smtp-Source: APXvYqxgxRdOMNhXUNf9uZjG5iRygeL89PQCT/RuzOYl43tBcd74JIqsXdNOSV7a3lJTAF+Iw8DJ X-Received: by 2002:aa7:c716:: with SMTP id i22mr12032279edq.237.1572991381497; Tue, 05 Nov 2019 14:03:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572991381; cv=none; d=google.com; s=arc-20160816; b=hE7PzyHopG6778GUEG3bsOp/10UPWVzBjgEK7YnFup7NEW75OsZzKv710v5SiTTJnk fakmVfLIE0UEYdFEaBAz6hc6kra2fMhnAo8nLEV0YcBUfrFHTFe4GXR7E2PpiUh1rzvl hxTO46fa9R8IbMfdRRsNZcyFYo18vEObHlsR4b03y35iRLNU8gQDD7Z0FNU4N9lKv3wm bhliQjn32cfIaZw5qL2oJxndxfnvmN7qi8/I4C//VPpsHOhxaKeT5FHviokQcxGb2lwM aAF1htxSuaLbhuFGtsh7lrTlJh/7ueOu+5sdR8VVlMFL0TVy9l/JFJuRjC2MghDw3VQs nH9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:in-reply-to:cc:references:message-id :date:subject:mime-version:from:content-transfer-encoding :dkim-signature; bh=A7ntIP7Pv94+JyCxBKyO+PR3oB2uhF7aSLknMJuGR54=; b=K8vh0V7/LFIv7EJ01lRglWoLI/VLXrACOAhY92UnepEvtzPfxWU1UpCrZ17/Vs9P6u /qj2PWqt//tUPfFyEaGs/F1D7h2FpvBnS4rSqsGyRIjeNZrPGNbf0aW/ctgPGw5rPouq 2n3cRTbzGA2cDDGmePZJFk6uD43NkFHpHpCvwDUM2gslbUsdspOUcj73TJQKGy6QvUq4 +wqT9ITLMXRQtjJPSxY7dvdmPtr/Tw8gFHEAYlnOEDLNre00uuoPlR8mG6VvDG9pwVrs J4dG6cBYEZAFXYyDOja8lo5mWWnaN88eNMRkaZSNbE8ya+uT8vRW505T88CSA9d2uYGs xwBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=VGc5idT9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2si12333860eda.322.2019.11.05.14.02.36; Tue, 05 Nov 2019 14:03:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=VGc5idT9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387398AbfKEWB4 (ORCPT + 99 others); Tue, 5 Nov 2019 17:01:56 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:41632 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730083AbfKEWBz (ORCPT ); Tue, 5 Nov 2019 17:01:55 -0500 Received: by mail-pg1-f196.google.com with SMTP id l3so15498227pgr.8 for ; Tue, 05 Nov 2019 14:01:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=A7ntIP7Pv94+JyCxBKyO+PR3oB2uhF7aSLknMJuGR54=; b=VGc5idT9oHFqNsyfeJQtiLGXaEfzZs+LnizeeHBN1hf2vJvDrjEssRXM+KqyPON/w4 XnbKdYccr81lAD6e/iN+6l/Dq4tPu19pl0UnJ7fciIZ9/6AONcHVukjFewb4PchiDh17 7ZPZihF1wJOMYKdIhjYSl5xVnwOnB1EbvZ1sv1e3OAKgQ5U7yKAERlW6szd40jmA1zkn AdFoPGkYJ3soBf432/rLYCS2v3QEXbCMHLpbH+eSaEQajYxFxt/RFcs7NZkkeYCP0Mmz kSc179mn0fGmgKGYJOb0sxsR7zgDRZPjOIBYL/0etkwTHLQn3m8fO5gAB5AGU8D5TsRQ sfiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=A7ntIP7Pv94+JyCxBKyO+PR3oB2uhF7aSLknMJuGR54=; b=B4AN2fg9fOUtQrjWLn3y5bA1UxpOevBtRXorRU9Ftfjc3NQFKMg7OlCr2amEpXZRSu 5wFJIchSCHIgGC/W+U53YslC3GCDUFszc7cuJYTVACWrQSNVqGuz2q7UIbaG0D1VVAj8 Zgdu4jzsdiX3K1YUwbeqIpckxuIcV9anhRWkqy5K9xGoNsnTWXglXq1u9WNbxBXAfsYi Orn0rGnVZJiuToE7AQ++fYysyZvT2FbAu3MUd3XmYJtqm0oHmh1ppObImjkeuhGBeit6 qexAoulOp/n1/+X7o2RZgx6PWtTWOnD5pVTY3WFiHJABRCSLgOGhsWRvzcWuwtrrSqxL 8pfw== X-Gm-Message-State: APjAAAVQAHF77x9UJmdd/ZArGQ5NSS1CfcmzqGV/mVqnvN4a3VffF2ix aexHyLUr4Pa/13Rvr2eXGt7K9g== X-Received: by 2002:a65:49cf:: with SMTP id t15mr33651193pgs.144.1572991314644; Tue, 05 Nov 2019 14:01:54 -0800 (PST) Received: from ?IPv6:2600:1010:b05d:f15:cda1:50c9:611b:faf7? ([2600:1010:b05d:f15:cda1:50c9:611b:faf7]) by smtp.gmail.com with ESMTPSA id a33sm20535517pgb.57.2019.11.05.14.01.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Nov 2019 14:01:53 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK Date: Tue, 5 Nov 2019 14:01:51 -0800 Message-Id: <273986A1-A4BE-4FE5-B547-49CAA44C6FD3@amacapital.net> References: Cc: Andrea Arcangeli , Andy Lutomirski , Mike Rapoport , linux-kernel , Andrew Morton , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm In-Reply-To: To: Daniel Colascione X-Mailer: iPhone Mail (17A878) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 5, 2019, at 9:02 AM, Daniel Colascione wrote: >=20 > =EF=BB=BFOn Tue, Nov 5, 2019 at 8:56 AM Andrea Arcangeli wrote: >>=20 >>> On Tue, Nov 05, 2019 at 08:39:26AM -0800, Daniel Colascione wrote: >>> I'm not suggesting that we fail userfaultfd(2) without CAP_SYS_PTRACE. >>> That would, as you point out, break things. I'm talking about >>> recording *whether* we had CAP_SYS_PTRACE in an internal flag in the >>> uffd context when we create the thing --- and then, at ioctl time, >>> checking that flag, not the caller's CAP_SYS_PTRACE, to see whether >>> UFFD_FEATURE_EVENT_FORK should be made available. This way, the >>> security check hinges on whether the caller *at create time* was >>> privileged. >>=20 >> Until now it wasn't clear to me you still wanted to do the permission >> check in UFFDIO_API time, and you only intended to move the >> "measurement" of the capability to the syscall. >>=20 >> So you're suggesting to add more kernel complexity to code pending for >> removal to achieve a theoretically more pure solution in the band-aid >> required to defer the removal of the posix-breaking read >> implementation of the uffd fork feature? >=20 > And you're suggesting making a security check work weirdly unlike most > other security checks because you hope it'll get removed one day? > Temporary solutions aren't, and if something goes into the kernel at > all, it's worth getting right. The general rule is that access checks > happen at open time. The kernel has already been bitten by UFFD > exempting itself from the normal rules (e.g., the > read(2)-makes-a-file-descriptor thing) in the name of expediency. > There shouldn't be any more exceptions. I don=E2=80=99t think ioctl() checking permission is particularly unusual. I= n principle, it=E2=80=99s better than open for a retrofit =E2=80=94 open did= n=E2=80=99t capture this permission in the past, so adding it makes an exist= ing capability stronger than it was, which isn=E2=80=99t fantastic.=