From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 09A1DC47258
	for <linux-mm@archiver.kernel.org>; Thu,  1 Feb 2024 01:55:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 7CC326B0088; Wed, 31 Jan 2024 20:55:52 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 77BF66B0089; Wed, 31 Jan 2024 20:55:52 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 643876B008A; Wed, 31 Jan 2024 20:55:52 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 490196B0088
	for <linux-mm@kvack.org>; Wed, 31 Jan 2024 20:55:52 -0500 (EST)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 0C00EA1B45
	for <linux-mm@kvack.org>; Thu,  1 Feb 2024 01:55:52 +0000 (UTC)
X-FDA: 81741568944.21.A13D191
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by imf15.hostedemail.com (Postfix) with ESMTP id 65D69A0007
	for <linux-mm@kvack.org>; Thu,  1 Feb 2024 01:55:50 +0000 (UTC)
Authentication-Results: imf15.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b=chRM3vKP;
	dmarc=none;
	spf=pass (imf15.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1706752550;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=mxqIdT8bk331pbwGHe6g1tYtT/nXI+EOw0D/xr6buTE=;
	b=T+2cfyysXpD8gmMjLWzj41y9b/R89VHjreaetoPHZ9QI09s4mO95tyeySTlSSbTLQvK58V
	T/kxYtpIX3qeZsMhVnsOIM61YQ23jqxwzSc8DmeM3+FvDBrhGqDphNdvP2qysExY+qyLIJ
	rKiWLOwU6UxY+n5WeipZ0iNk2Q1PCQ0=
ARC-Authentication-Results: i=1;
	imf15.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b=chRM3vKP;
	dmarc=none;
	spf=pass (imf15.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706752550; a=rsa-sha256;
	cv=none;
	b=WP4hTWagpKM1uagH8e1IoMAgOWaox6IvSq5gmmIacIPluIcUWUotN/W6SAo9/XZljL96U5
	039lOSdQUXgkWzxTCK5BTpNe3gSH19sRKayhDxogE+r8fj2g+i6m3i7V32oNM87dBEKc5p
	74BnSPVWfCIsWiIlky1vYs57xH36dq4=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=FAb1xu7N0m
	D7fB4oPNkaXK9r+LVVO3hmEBonp6dyuIM=; h=date:references:in-reply-to:
	subject:cc:to:from; d=openbsd.org; b=chRM3vKPnLKjxR1g/l1bvuZA5Er+nt+s5
	2B8DcLvp2JUGv7M17p4P31I3B5oOkWjH0yVjdqbyM4OKo2EQAYAzgIGS6KsuxrvaCC3mmR
	iF/VFrsZeU2KoyOfJwB156nIKcI8UudZTA3/Zhjk2cN65GWKn1hj68PjdKHOWM0kgyA8MZ
	8JX7WksOgv8/az9KcBUQxYFHILw/hCwrO82C6GLGaO/b/wALOVh210+AjKpSyE8yct9zD7
	2i5pgl6NJsrcv+NAS6r1ugU0dh/+4t0PX5i+X07FzxRdQHZ9z+Qocd6q8N8AWUFH5VDKuu
	8HmwCLCvTip5rA41MiXEhwk61X/VA==
Received: from cvs.openbsd.org (localhost [127.0.0.1])
	by cvs.openbsd.org (OpenSMTPD) with ESMTP id 4380a574;
	Wed, 31 Jan 2024 18:55:48 -0700 (MST)
From: "Theo de Raadt" <deraadt@openbsd.org>
To: Jeff Xu <jeffxu@chromium.org>
cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>,
    Jonathan Corbet <corbet@lwn.net>, akpm@linux-foundation.org,
    keescook@chromium.org, jannh@google.com, sroettger@google.com,
    willy@infradead.org, gregkh@linuxfoundation.org,
    torvalds@linux-foundation.org, usama.anjum@collabora.com,
    rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org,
    groeck@chromium.org, linux-kernel@vger.kernel.org,
    linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
    pedro.falcato@gmail.com, dave.hansen@intel.com,
    linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
In-reply-to: <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com>
References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com>
Comments: In-reply-to Jeff Xu <jeffxu@chromium.org>
   message dated "Wed, 31 Jan 2024 17:27:11 -0800."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <22279.1706752548.1@cvs.openbsd.org>
Date: Wed, 31 Jan 2024 18:55:48 -0700
Message-ID: <44005.1706752548@cvs.openbsd.org>
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 65D69A0007
X-Stat-Signature: 8hre6gxdt8r49d3jja1ucs7agi5iex5u
X-Rspam-User: 
X-HE-Tag: 1706752550-481141
X-HE-Meta: U2FsdGVkX1+ClQpnTpPnn5x2CCflrk5j7vGQlgRmoN+fMDHgNaJrqSaokmV8Ym+1jq8/UYLJ7MuPMpad2cDFSTpP8uYFfyCHTyEyg5c7O0IVjq9zkKtR7VKkvdcirkgI6fp5DcJ9yGy8eKeU3LcsqUr7kv6bqyRLzlLBczNIK/PbsHn0nAwE3p3VWxYEv63UCjxvW4c+dCkIVE+iwJMcyXZoy5/CNhvZLX8eDYsvJoEIE69WfE49/ljxFkbRwqpxug8EK+BrEPDpf9jGwAN9Q+M7VLnPyidHQnnQJfnq1+fF7Cx2ezuszTKZ6EHYzFj+bjjJ3VQG2YclFFcbCxikoEZ0yfq0kNIvFcBlh2CxthrJhG2oGjXvThrq68wmB/6FyIekVWEhicjhSXcvLsk0LuRCNNd1/AiPlBcEr4LanCWHBIV6cU5thxEEHWh48wYHoQw7HZzAREkBkGX84KqxM+SEebGRWiowYGchNwYxmvAYfbGJQByNQl36tEMufwJANwceUsutvzjuLfEIVVgjgLyRYxGX4vkVcLRlvAqkeWNFe/FSO27h7uxPDdA0GhLxvHNMfStiaQoz9iMqc5mID98Dbd/+Ln8fflGO2S9xVpE0n3CXKAyw9JipctNO3EYzTgzjbzolyA+YKJdPGZz9IVABePAm/PsQ1QRpJgV5fnN4XMuAM6ciMvBJdeCTRTiatRrvHBZ2Mof9FdwQA4+kibIYRPvLGlalpxBO/YQcRWd51mqIGJ6rVx9ioPUh9fap9mIcpPXPjrEbB3OBIvz7+O/QqoF4lLVfxa29rF4/3ZFvpb7dILwjL/Vi8kn8t0nKhN3r453//Yd5Y9uWne/7K/gzPfPRiqYexlZt09O6GbWQt60XCYAbtccWzsqlnf2IiC16ax11r8ndXpqAgLzQaWBNU9orcy6vfxb5Xk4p/RVeZjVRa+w/9cAVdQ/my7EWi+yhF7CjEPEVQIl0lme
 HGkZ+j15
 Ab/VO3mJ+qu/1IHS0XaBv3SquEw7yAUitRdXqEJFQyOidlXgWLg7Yg33arRemNEsXtYtyxz/UNwdtxtC7Sz4ubyRdj/4m9yNmrNU7hsitFkq5KnnjjLGW+Np9WEthwiMNUpxJNlZs0WBNbAd6+QP6/g1wjnwj1ng65MPp4fKjRuCsj/YaEiGc3l350m3OP3dKWthiEWF25FbcVqY=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.005378, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

I'd like to propose a new flag to the Linux open() system call.

It is

   O_DUPABLE

You mix it with other O_* flags to the open call, everyone is familiar
with this, it is very easy to use.

If the O_DUPABLE flag is set, the file descriptor may be cloned with
dup(), dup2() or similar call.  If not set, those calls will return with
-1 EPERM.

I know it goes strongly against the grain of ancient assumptions that
file descriptors (just like memory) are fully mutable, and therefore
managed with care.  But in these trying times, we need protection against
file descriptor desecration.

It protects programmers from accidentally making clones of file
descriptors and leaking them out of programs, like I dunno, runc.
OK, besides this one very specific place that could (maybe) use
it today, there is other code which can use this but the margin is too narrow to contain.

The documentation can describe the behaviour as similar to MAP_SEALABLE,
so that noone is shocked.

/sarc