Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1180325pxv; Fri, 23 Jul 2021 01:41:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz2ZI2DforMtDbpYOplXB9uRC3COYjbW+yswofzoaaF+uwzSQkfGx08sE6lJiL1EUoJjgCz X-Received: by 2002:a17:907:1c9f:: with SMTP id nb31mr3753504ejc.342.1627029708690; Fri, 23 Jul 2021 01:41:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627029708; cv=none; d=google.com; s=arc-20160816; b=t5lueVu3/z9tmrqGYN6a4KtAq5tDn+yW8GqqKNgFQF24PxNS2mGAMafHdov3G/eekJ bDN4ME6NSD/fA4laZpPslyWePY7ClVJqA9zw4h4mIJxh4QrD1tW33MPob1ivM2y6+U6V 9rVvTOJesbPoWYSUIaEyz2JwrVdDHACYH5hRl99uQyNdk8sGH7InqvEQJR6OpkTTcQFN FSK4Ucxr8ij9NvUSreN/HZdctj8x91XTa1C1cREceKD2px45J5cuPc6A4OK8JGZUHkcD LljUmjNAqPk7RtjCMzFNmLH/8Z1XXzd9q1KWMurK/7jrHAIqDTYINvaZQ/4nU4EQ5Dzr dmjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0R6geRNUNQC0kRoF+lSv0pifLg2KS6M6ylGJCMhofy4=; b=AekmBO9gUIp/J2l1rFXhfQjVv7fT3JWEX7CP9zxqvkFn+z4WvBQbhqrM6NySDxXAds BDWz0aV/QjhbcJEI+frbzTcU9dzhYaJBScN4cPSEnPsZZ/u8rOjwUfKUTFzm+lTslcwO VQMrmyCP+0V3EVf72OJtougW2KenXxi3fBhit5RwxFvqJDeX0gu9jG30xnw+6gS/rjjO hYxYarcE8yU2FlBgcOBQSz3AQp6jM1um0hXU3kcmxJdiLvkECAN0g/5TMbQie/RuEFtS x134Nm15KcXiD1eN0ahoCeVysgrOUNzRZiV1Yy8W7W1LWvrp4Aadb0rJ68I+PA37v3oQ KU/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IF4/l2ff"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p31si41876837edb.554.2021.07.23.01.41.25; Fri, 23 Jul 2021 01:41:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IF4/l2ff"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234445AbhGWH7U (ORCPT + 99 others); Fri, 23 Jul 2021 03:59:20 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:44178 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234386AbhGWH7U (ORCPT ); Fri, 23 Jul 2021 03:59:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627029593; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0R6geRNUNQC0kRoF+lSv0pifLg2KS6M6ylGJCMhofy4=; b=IF4/l2ffsAVJmuw29rHktc4SwMyJ4y0K0BcSlO2tua+9Rx7EaPkkM5FhCmO+okA/6oW0sX yWOLuOvbyQCjf8p5QkNb2TUkxD0yZTib2yDJSgiSYfvokeQ6LHwvmdxXdFQY3qOCDp5KNv 5SvV5y0q9g7lB/Ue0IfhnsaZipA8h8U= Received: from mail-yb1-f197.google.com (mail-yb1-f197.google.com [209.85.219.197]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-527-2zxfhNhtMIOcjlQq-hERDw-1; Fri, 23 Jul 2021 04:39:51 -0400 X-MC-Unique: 2zxfhNhtMIOcjlQq-hERDw-1 Received: by mail-yb1-f197.google.com with SMTP id r1-20020a0569021541b029054df41d5cceso1004386ybu.18 for ; Fri, 23 Jul 2021 01:39:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0R6geRNUNQC0kRoF+lSv0pifLg2KS6M6ylGJCMhofy4=; b=NDqwBNcCRCyk238jQ34VWf5OAbnlWhm1ug3GXBW7ctKD/O/UWMoIlNiJTMZzCFCHMh QEWymU2KChnb8tlyFucXvPoGP1ijg7DUUD3zjiYKCGPEnBR2w4c1aWapG+X0JurdbHFa yOyvtEM1gsBKAxLBbkgbqCq5ZfPKWVgKRAqdsFVbNxUDZUyvfNHK/YpW3eVTQiYxuu+e cpcRrM0lGqoHI0dkaPG2zDQXQMVmMwSXaq5IN4vsGHgCG3fHXsB2ktyhX0Uhmr6xxw/z vlcsjCDEs82471N1S05p+ELiJQ7740qjV3pJQJ1aXQAbSpVxbMF4YZ7ri3v3aHc/6vXP vzew== X-Gm-Message-State: AOAM532lwJ6guuKsn6W2OzAKwKtfCvE2wiqyThPsN14z81/p52KdSRWJ ClMRxfba8+wSArc9I5byoOt59d0SRcY2HeVnrUCyyD6+Yguwvi9jCPUnNu4+gc7IahjigcpqkXJ 3K0q1f+eVh5AbrmYCXKQRaMx3xsYbs/ZojSjMMOzA X-Received: by 2002:a25:ad06:: with SMTP id y6mr4824944ybi.439.1627029591446; Fri, 23 Jul 2021 01:39:51 -0700 (PDT) X-Received: by 2002:a25:ad06:: with SMTP id y6mr4824924ybi.439.1627029591301; Fri, 23 Jul 2021 01:39:51 -0700 (PDT) MIME-Version: 1.0 References: <20210624152515.1844133-1-omosnace@redhat.com> In-Reply-To: <20210624152515.1844133-1-omosnace@redhat.com> From: Ondrej Mosnacek Date: Fri, 23 Jul 2021 10:39:40 +0200 Message-ID: Subject: Re: [RFC PATCH] userfaultfd: open userfaultfds with O_RDONLY To: Alexander Viro Cc: Andrea Arcangeli , Lokesh Gidra , Linux FS Devel , Linux Security Module list , SElinux list , Linux kernel mailing list , "Robert O'Callahan" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 24, 2021 at 5:25 PM Ondrej Mosnacek wrote: > > Since userfaultfd doesn't implement a write operation, it is more > appropriate to open it read-only. > > When userfaultfds are opened read-write like it is now, and such fd is > passed from one process to another, SELinux will check both read and > write permissions for the target process, even though it can't actually > do any write operation on the fd later. > > Inspired by the following bug report, which has hit the SELinux scenario > described above: > https://bugzilla.redhat.com/show_bug.cgi?id=1974559 > > Reported-by: Robert O'Callahan > Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") > Signed-off-by: Ondrej Mosnacek > --- > > I marked this as RFC, because I'm not sure if this has any unwanted side > effects. I only ran this patch through selinux-testsuite, which has a > simple userfaultfd subtest, and a reproducer from the Bugzilla report. > > Please tell me whether this makes sense and/or if it passes any > userfaultfd tests you guys might have. > > fs/userfaultfd.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 14f92285d04f..24e14c36068f 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -986,7 +986,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new, > int fd; > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new, > - O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > + O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > if (fd < 0) > return fd; > > @@ -2088,7 +2088,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > mmgrab(ctx->mm); > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx, > - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > + O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > if (fd < 0) { > mmdrop(ctx->mm); > kmem_cache_free(userfaultfd_ctx_cachep, ctx); > -- > 2.31.1 Ping? Any comments on this patch? -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.