Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp2045606rdb; Wed, 31 Jan 2024 18:25:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IHFKDwQ3L4M6TxVUwb3MLH9n5Dh0U6KDL4PuR0JQFveynu8uRhtcD1GsHQVQQcn58osFCzQ X-Received: by 2002:a05:6808:d4e:b0:3bd:9c24:fc1d with SMTP id w14-20020a0568080d4e00b003bd9c24fc1dmr4174667oik.43.1706754342143; Wed, 31 Jan 2024 18:25:42 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706754342; cv=pass; d=google.com; s=arc-20160816; b=hOMmzisvza20RPIa/O+h+Euohd6THfkf9Kbik7SoXhQUbrF0E1cRXPydUzw3mBX8FD mX37C7RBpHsb81HO4kSNT5I1C6BjIFAUpkYV1ZIQcmyQR1l6jSxKTGF1WoNKPJW8rKK3 sXr9IXcjJerAVr/5MCM+x5FW8g/F1xPehu6ojpcIi4euLKHzlM4sDaZDmidRYaABEimK aZ4B76Igs/quSovJifr6hBrI+mPv2b4wYVqMpIch6e8NKumDstQJ5XF4btDUaMSCLreY 1VgNqVo9OMF5uuF2I75QnPgaNm9f6lR85T6hFuJ8ZCBWZBUgPmfHDFHWKMqa2kdbk2Fu FS5g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:content-id:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:comments:references:in-reply-to :subject:cc:to:from:dkim-signature; bh=mxqIdT8bk331pbwGHe6g1tYtT/nXI+EOw0D/xr6buTE=; fh=cIe6YGz9IYjS2j8YJcV/fbo3QN0rxXZhA7keQxN0E8Y=; b=bm2zDAWYwzuSpev6lPrddTMz997BSzbxRyOWwmzFIRYaxgP//EI+xfh4B5lu5juAvr WfIPWWXuctQ71rlzseRoEKmntCObEN4+LaQanRDuLhe0UwkkuHkFGrq7bUWbDWBLmj++ u6Iwc77RvdK6Y8k27G6LigprncQoUcCys5RTufg4Q7mHCZAUnESViKC3f55XD/S9194c nRqnmRLyPpKuKJdvA7FEVzL+bKZ3GctdU/E2pS6Tmd6U+7/+MWZWH6nQO5GvP3BoI8k4 DxJaROs8vvbjPFokTXZ/3R5uixKjebHmzcQOYp5Owf6ndKzSoOB/85ryC0/ivwjGNja2 0HHA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b=chRM3vKP; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-47522-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47522-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCV3Z3hLOpyJZ36ubYY0CcnUaRF6RRNa3HcNseSlCg4B406BNRSdHK0uX0i1BA5upVJ8OLt0vRT8NP74A2bmZDTwNTzSJXeu2MKbPiqKXw== Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id jw12-20020a056a00928c00b006db7041fbd2si11322296pfb.303.2024.01.31.18.25.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 18:25:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-47522-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b=chRM3vKP; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-47522-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47522-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3C8D1B2265A for ; Thu, 1 Feb 2024 01:56:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9B30BFC10; Thu, 1 Feb 2024 01:55:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b="chRM3vKP" Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEEEBCA42; Thu, 1 Feb 2024 01:55:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=199.185.137.3 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706752551; cv=none; b=DyvNUG4dx4eCxNPvs+NLm9KvoRcKFLXAeuk8hibsNFx6cT5Q0MqYHt9ZI8F5u+bdQOH9IIYoCD3A/EwPks0dVuF0Y0tv8LwqwyswxIe+J2CLc/VYelm0l9eXMZKRAxyq0ZQurW4FrjDNiTf1RTjV78wG3sgrvXVlohgCh7xX+qs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706752551; c=relaxed/simple; bh=FAb1xu7N0mD7fB4oPNkaXK9r+LVVO3hmEBonp6dyuIM=; h=From:To:cc:Subject:In-reply-to:References:MIME-Version: Content-Type:Date:Message-ID; b=POJe9a4CRdLaSvh22dWpnkaw1FUOYWwf2aVsSWKrJJuTOkcnS1KC407wBs1OA9kcu7b2sfeFib64yixPxwkQAa5sc+IaPC9vA/x3GXtM7/wX1R5ZHvAPp2N2DUGIbgbH5/CPZcuDRCY8vxGN6/Cu4mqDdbDQe7E6+s7bF6xca8c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org; spf=pass smtp.mailfrom=openbsd.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b=chRM3vKP; arc=none smtp.client-ip=199.185.137.3 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openbsd.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=FAb1xu7N0m D7fB4oPNkaXK9r+LVVO3hmEBonp6dyuIM=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=chRM3vKPnLKjxR1g/l1bvuZA5Er+nt+s5 2B8DcLvp2JUGv7M17p4P31I3B5oOkWjH0yVjdqbyM4OKo2EQAYAzgIGS6KsuxrvaCC3mmR iF/VFrsZeU2KoyOfJwB156nIKcI8UudZTA3/Zhjk2cN65GWKn1hj68PjdKHOWM0kgyA8MZ 8JX7WksOgv8/az9KcBUQxYFHILw/hCwrO82C6GLGaO/b/wALOVh210+AjKpSyE8yct9zD7 2i5pgl6NJsrcv+NAS6r1ugU0dh/+4t0PX5i+X07FzxRdQHZ9z+Qocd6q8N8AWUFH5VDKuu 8HmwCLCvTip5rA41MiXEhwk61X/VA== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id 4380a574; Wed, 31 Jan 2024 18:55:48 -0700 (MST) From: "Theo de Raadt" To: Jeff Xu cc: "Liam R. Howlett" , Jonathan Corbet , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v8 0/4] Introduce mseal In-reply-to: References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> Comments: In-reply-to Jeff Xu message dated "Wed, 31 Jan 2024 17:27:11 -0800." Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <22279.1706752548.1@cvs.openbsd.org> Date: Wed, 31 Jan 2024 18:55:48 -0700 Message-ID: <44005.1706752548@cvs.openbsd.org> I'd like to propose a new flag to the Linux open() system call. It is O_DUPABLE You mix it with other O_* flags to the open call, everyone is familiar with this, it is very easy to use. If the O_DUPABLE flag is set, the file descriptor may be cloned with dup(), dup2() or similar call. If not set, those calls will return with -1 EPERM. I know it goes strongly against the grain of ancient assumptions that file descriptors (just like memory) are fully mutable, and therefore managed with care. But in these trying times, we need protection against file descriptor desecration. It protects programmers from accidentally making clones of file descriptors and leaking them out of programs, like I dunno, runc. OK, besides this one very specific place that could (maybe) use it today, there is other code which can use this but the margin is too narrow to contain. The documentation can describe the behaviour as similar to MAP_SEALABLE, so that noone is shocked. /sarc