Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp846188rwi;
        Wed, 19 Oct 2022 03:49:19 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM4WU8B9IHQKbJaYP6jJ8qIiN3Mp9zBqT/67NiOXBVG7CvfMs0Yq93Z5lslyNCumzpRpU45F
X-Received: by 2002:a17:907:320b:b0:780:280:7b72 with SMTP id xg11-20020a170907320b00b0078002807b72mr6389534ejb.146.1666176558890;
        Wed, 19 Oct 2022 03:49:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666176558; cv=none;
        d=google.com; s=arc-20160816;
        b=Wsx9nPmKFYSQ1YEwa2puX7yaYeDJfT0SA4qgLa6k4SevSt1M7EsTfoMM5MjDleXQOY
         QlWJ259T0QuKJG+HWzgDXVGlkz1hPPKWxHaQl8c0cBf5IiGVeoU7uVUZodIGLWTbPr+2
         TZfUp+pw+2rJqYzJeX3L/XzA4BCXj0jxS/EFkCeyK0VL7rtO8M5vrMsyGLxkXPzGnQYz
         7ThvoMzNMs0y7mGiXPxqVYVt5MfDXA4DU08OMdWzUiANjFJAdNJqvttHUin0bBRcsuVA
         4WrxyGByI1lSSRezZGp/ElgewejZbbJy2pQoa/eiSHSM2bfVEmen0AQNBNom+teUkQaj
         x0EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=UuynBRzC068PlSLg8YaI9IPzgPbUSV14I+dRrJecnJs=;
        b=SBS4fEHN1MExg9SsDwgXEUwqaAavS/gDP5tnwS2Jdj5AghXWyt9eto3ABFd5DL7ogk
         +BrE+6M2MO7br+TaW5V2g9n4P7vpWCJok8PnaTJuaYsdnPGAjglBztikT0k9HWw7yoUH
         a03iVhysMNG2MQ7geh9ewzIUoYTMZNxv2NlcgTL4ekjyJavbb9z5wZnXu1magZvfE2bd
         0ouvBenBYFCTISAcRn2s55rODhWJkUWtfUluqXkSHn1ERad3OQhdok+IyFlGbJaauXVI
         8WV2yJp29/YPKI8cdoBF77cS+4xpEYOvr366j3E1T4ikZYCUhm5SxX7Lq8WNtd08MJ66
         Cxzg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tqKdZp3u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id p28-20020a50cd9c000000b00458ce1a20dfsi12408348edi.271.2022.10.19.03.48.52;
        Wed, 19 Oct 2022 03:49:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tqKdZp3u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233213AbiJSKri (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 19 Oct 2022 06:47:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49162 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232801AbiJSKp1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Oct 2022 06:45:27 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D38E26AF7;
        Wed, 19 Oct 2022 03:21:32 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id F3E36B82304;
        Wed, 19 Oct 2022 08:47:14 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4ED99C433C1;
        Wed, 19 Oct 2022 08:47:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666169233;
        bh=NNlN43yRYP/GS1meNtY2/HGKhqpVXSar/Y/KnVaTkSA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=tqKdZp3u/pujysaXeK19W8Y6rXPWUg8vUOpi4LM4JllX5UtheOR5vDqMVC0HGpaRn
         l4kvToE1sIMcSM8jACVHntCgqHBRth2Sk+si3gavR/BkgAvVFU4AsLk6B6j1YvNnvM
         f5hg69YqBKVVSo9LTcGIgLwi4pEzFv/XuvdUBfh0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Robert OCallahan <roc@ocallahan.org>,
        Ondrej Mosnacek <omosnace@redhat.com>,
        Peter Xu <peterx@redhat.com>,
        "Christian Brauner (Microsoft)" <brauner@kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 204/862] userfaultfd: open userfaultfds with O_RDONLY
Date:   Wed, 19 Oct 2022 10:24:51 +0200
Message-Id: <20221019083259.023119499@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221019083249.951566199@linuxfoundation.org>
References: <20221019083249.951566199@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ondrej Mosnacek <omosnace@redhat.com>

[ Upstream commit abec3d015fdfb7c63105c7e1c956188bf381aa55 ]

Since userfaultfd doesn't implement a write operation, it is more
appropriate to open it read-only.

When userfaultfds are opened read-write like it is now, and such fd is
passed from one process to another, SELinux will check both read and
write permissions for the target process, even though it can't actually
do any write operation on the fd later.

Inspired by the following bug report, which has hit the SELinux scenario
described above:
https://bugzilla.redhat.com/show_bug.cgi?id=1974559

Reported-by: Robert O'Callahan <roc@ocallahan.org>
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/userfaultfd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 175de70e3adf..0c1d33c4f74c 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -991,7 +991,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new,
 	int fd;
 
 	fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new,
-			O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
+			O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
 	if (fd < 0)
 		return fd;
 
@@ -2094,7 +2094,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
 	mmgrab(ctx->mm);
 
 	fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx,
-			O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
+			O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
 	if (fd < 0) {
 		mmdrop(ctx->mm);
 		kmem_cache_free(userfaultfd_ctx_cachep, ctx);
-- 
2.35.1