Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp638211pxa; Tue, 4 Aug 2020 14:16:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTxeA27nDT8eaKKsJ8NIR7SBYREGbPukQ892H06ffpOFDoCYQapmqWbuo+GZCcGGJRpBKx X-Received: by 2002:aa7:d6c7:: with SMTP id x7mr22831274edr.167.1596575805448; Tue, 04 Aug 2020 14:16:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596575805; cv=none; d=google.com; s=arc-20160816; b=Zor3XrA3woKSzuv2bIYdgUCXUM6PqiKExBJ/3RxMNmMRr9FrNDHN54PX/Vys34RyuS P4C3RdyZwLk+K/IxeWrgsLCNNTqYktZdG0hYsfbw2dSJ5CthIv84lrdrCyF/CiD9lic3 ajSIyH+uY3Z+oBuRRqAhEukad1knTpg++u9ihjwvf7HgG6ggcl+lJJ2Ljxwi9w6VK8kn wIWKBCTPBzklru49THiQwmetocrAsFU0KXwLARjoRR8CGDosQ8PR4viEB9oDYd8vUHn9 CDjGnOvUNnRbM1PlGOUTaTb7Ix/Nm1XkiwHdKwaQ6pc8xy6slKLiGpqnD8ALX2Omsgi0 Wwhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=ls53O7YW9hsGwCoV/nvYeEEqRqFDbXk97sdQOiFW50g=; b=eFFULSQxuAwPCaS+5hBjd7jbDxiehPXE+QVBlMv5ITIlYdbLGOW3TBIjwdyPtp0uet jIPIlBoKLeCkGZil8Xgq5nOd4RwxSKuva6ykQ6ZGIXHCuO7Te3JZOuY4TgF0wZLkiU3T qBxKCi2qogIc3ZkQJfSgeJBbCVFPM0WuTPPC1CSjvedTW28O9kVV9Q0cUsg8xFxUYkuP QjIObDY9R6dMS4T8TKRAUcHM6L3tmYGgABFQMXwYOcPKzpAwsa+wXQCBtNoYg4fBmJk5 rkPy3vEW2ks9x8xoKtk46waeOHz4vteZ1pAwdJaqMJhl9B38G2K1sNGz93tzZRfuXUTo Dlig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M2dGU1wd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qk16si12870908ejb.532.2020.08.04.14.16.17; Tue, 04 Aug 2020 14:16:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M2dGU1wd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726859AbgHDVQL (ORCPT + 99 others); Tue, 4 Aug 2020 17:16:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:56130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725999AbgHDVQK (ORCPT ); Tue, 4 Aug 2020 17:16:10 -0400 Received: from gmail.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B1F9C20792; Tue, 4 Aug 2020 21:16:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596575770; bh=6y7RE+hgDgrNRFsLnMe7+1bqyOR9ko768+Vm0y40/zM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=M2dGU1wdwMijDDQjOhfIgAuo8XXz6zJkha4owe9yHW7H84Vw9FkNIGAfD5N+iOuPq 2DhtL2Bn3pyGZZTgVRsrQ8g3DXPFqSpftVVfSGHjN24kNHIrFMwkPilNS4mrwEP4l0 IOv43Qv7qCRti04OcpT9ta5lHI05EPA7eqtDWvjM= Date: Tue, 4 Aug 2020 14:16:08 -0700 From: Eric Biggers To: Daniel Colascione Cc: timmurray@google.com, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, viro@zeniv.linux.org.uk, paul@paul-moore.com, nnk@google.com, sds@tycho.nsa.gov, lokeshgidra@google.com, jmorris@namei.org Subject: Re: [PATCH v5 3/3] Wire UFFD up to SELinux Message-ID: <20200804211608.GC1992048@gmail.com> References: <20200326200634.222009-1-dancol@google.com> <20200401213903.182112-1-dancol@google.com> <20200401213903.182112-4-dancol@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200401213903.182112-4-dancol@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 01, 2020 at 02:39:03PM -0700, Daniel Colascione wrote: > This change gives userfaultfd file descriptors a real security > context, allowing policy to act on them. > > Signed-off-by: Daniel Colascione > --- > fs/userfaultfd.c | 30 ++++++++++++++++++++++++++---- > 1 file changed, 26 insertions(+), 4 deletions(-) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 37df7c9eedb1..78ff5d898733 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -76,6 +76,8 @@ struct userfaultfd_ctx { > bool mmap_changing; > /* mm with one ore more vmas attached to this userfaultfd_ctx */ > struct mm_struct *mm; > + /* The inode that owns this context --- not a strong reference. */ > + const struct inode *owner; > }; Adding this field seems wrong. There's no reference held to it, so it can only be used if the caller holds a reference to the inode anyway. The only user of this field is via userfafultfd_read(), so why not just use the inode of the struct file passed to userfaultfd_read()? > SYSCALL_DEFINE1(userfaultfd, int, flags) > { > + struct file *file; > struct userfaultfd_ctx *ctx; > int fd; > > @@ -1974,8 +1979,25 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > /* prevent the mm struct to be freed */ > mmgrab(ctx->mm); > > - fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, ctx, > - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS)); > + file = anon_inode_getfile_secure( > + "[userfaultfd]", &userfaultfd_fops, ctx, > + O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), > + NULL); > + if (IS_ERR(file)) { > + fd = PTR_ERR(file); > + goto out; > + } > + > + fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC); > + if (fd < 0) { > + fput(file); > + goto out; > + } > + > + ctx->owner = file_inode(file); > + fd_install(fd, file); > + > +out: > if (fd < 0) { > mmdrop(ctx->mm); > kmem_cache_free(userfaultfd_ctx_cachep, ctx); What's the point of anon_inode_getfile_secure()? anon_inode_getfd_secure() would work here too. - Eric