Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3881459rwi;
        Sat, 22 Oct 2022 01:28:52 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5VaLnAyOAqF7Ufx18egdGMXeERdP0SU6a0+REk6Y7ZgWaLzqHn0WT7pgsTphAVJHxFz6LE
X-Received: by 2002:a17:903:2342:b0:181:bc30:b02f with SMTP id c2-20020a170903234200b00181bc30b02fmr22878151plh.30.1666427332703;
        Sat, 22 Oct 2022 01:28:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666427332; cv=none;
        d=google.com; s=arc-20160816;
        b=GuwB/aPEJI01eFynDem3U2wVAEz66Rz6dyTYmT00mnKbaS5bC72H6EPOZFEJ0+LhCy
         da1cJo+OwCrFY6O9UinhEHmblSHPdB5qCodw4BiZ7Z5aaBB9KmKBf0bn3Z2Iaf7UmB+N
         6r5Xx7i4mbOjFjMAI9v23DDQSkhPQJvISVxxiBoOuELwlItp3cg1K+RX5EmedRd/8V8W
         50vvtYe5+CZQg9deQhovyES4o7INB4vav1/7N2IlfFQjv0B1oVDnRweGAw6L/LGyYqTC
         MIzUkthpVrXXVkx773ssl0vgIbRVCi7Pu1VNYh+OHQ8S/XXUtvUzcKIjku54qn3ZrFMc
         OP8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=IlZLaypbjwCRja7PjmrTTl1NJxqwdxrNBGqUZT7rM6s=;
        b=AZkp6PLQwKnlYmEL9PoQi2IabHLviVXn9pn9NqLbEYq6LodjAcu4OM6TLthTCuOzMk
         TnyWRTphuG+LL6j1WKzMmMKO9C2uztOajlalnr1yoLfRddcR9bXoO4LcDD2onMdElLkR
         xyu1SOZ1pVCA9U5/GoXOi0f4zGTx0+v0uqy3MRTLnmad6dEAjcYxP8KPpJKVrel9/ZXZ
         /L0Z3kQlQ2I/ElxFupk1/QUIQY0bZzp7/WbaIwc3Rlw7FuADSaFKnN3oFM3P4RIHR1B2
         aanNlrAWdyC1r1HjTcR4kvnCx0BZI/m2S/LTV4OGYThrkma/9qvNBJJeTjk4G8V+RolC
         5Qpg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Dp2cPbiI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id r10-20020a632b0a000000b0046e96b9ed89si8760140pgr.867.2022.10.22.01.28.41;
        Sat, 22 Oct 2022 01:28:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Dp2cPbiI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231534AbiJVHrE (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Sat, 22 Oct 2022 03:47:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34368 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231696AbiJVHpJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Oct 2022 03:45:09 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A71BA13F7D;
        Sat, 22 Oct 2022 00:43:17 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 9636FB82E0C;
        Sat, 22 Oct 2022 07:42:03 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBC81C433D7;
        Sat, 22 Oct 2022 07:42:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666424522;
        bh=AoD7+dTTk9jFcrmi68nzi+Pl5BVo8xV9UUy1UM1JpqY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Dp2cPbiI6kVo9txPvU1CGMmerGi2mziYtq69ey+yaSRx9+vzR+HgX+DeBz+XSx8ld
         1x7pPGNGpoik0ffovnp4vmKzb5HGzCinM+WfCEOp6Dl3N7UWkb+epZZKLjTSKddl3o
         MyP4PoBonwu0Y3WfbvupCSD01UVnRscemZdv0o8s=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Robert OCallahan <roc@ocallahan.org>,
        Ondrej Mosnacek <omosnace@redhat.com>,
        Peter Xu <peterx@redhat.com>,
        "Christian Brauner (Microsoft)" <brauner@kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 178/717] userfaultfd: open userfaultfds with O_RDONLY
Date:   Sat, 22 Oct 2022 09:20:57 +0200
Message-Id: <20221022072447.079288900@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221022072415.034382448@linuxfoundation.org>
References: <20221022072415.034382448@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ondrej Mosnacek <omosnace@redhat.com>

[ Upstream commit abec3d015fdfb7c63105c7e1c956188bf381aa55 ]

Since userfaultfd doesn't implement a write operation, it is more
appropriate to open it read-only.

When userfaultfds are opened read-write like it is now, and such fd is
passed from one process to another, SELinux will check both read and
write permissions for the target process, even though it can't actually
do any write operation on the fd later.

Inspired by the following bug report, which has hit the SELinux scenario
described above:
https://bugzilla.redhat.com/show_bug.cgi?id=1974559

Reported-by: Robert O'Callahan <roc@ocallahan.org>
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/userfaultfd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index ab0576d372d6..fa0a2fa5debb 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -991,7 +991,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new,
 	int fd;
 
 	fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new,
-			O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
+			O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
 	if (fd < 0)
 		return fd;
 
@@ -2096,7 +2096,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
 	mmgrab(ctx->mm);
 
 	fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx,
-			O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
+			O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
 	if (fd < 0) {
 		mmdrop(ctx->mm);
 		kmem_cache_free(userfaultfd_ctx_cachep, ctx);
-- 
2.35.1