From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4371BC28B2B for ; Fri, 19 Aug 2022 18:54:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 81D168D0003; Fri, 19 Aug 2022 14:54:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7CCC28D0002; Fri, 19 Aug 2022 14:54:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6945A8D0003; Fri, 19 Aug 2022 14:54:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 59F518D0002 for ; Fri, 19 Aug 2022 14:54:17 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 19B2B1C64D2 for ; Fri, 19 Aug 2022 18:54:17 +0000 (UTC) X-FDA: 79817242554.17.F5FA7E2 Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com [209.85.167.180]) by imf22.hostedemail.com (Postfix) with ESMTP id 4D284C0019 for ; Fri, 19 Aug 2022 18:51:09 +0000 (UTC) Received: by mail-oi1-f180.google.com with SMTP id t8so5689580oie.8 for ; Fri, 19 Aug 2022 11:51:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=7wUgB1dRjU6/+eFjwFHTANQu+ic7Dy7EWy3+cTOIz0Y=; b=YA8lduBFsw7+V7kZTDB3G6gYa9HAlS3UjQdrISezZ02nmKmRjX8o+zRPyTx/PHiYBZ rX95UYX6pa787HSJFyX48N66z5sdS4xAuGadWGodDH9DtcoCZURHsEo/l//aN07ydqa8 g+1wDe62RvoZ6Gwv+nSIfZquiGYctEGwl6VfR8d8ZKZSKy+qIQhOqh/QAXHuYHm9xtZA hwJEbVmrnbJhzna0LzhuX2bApaTmhDg6PmYQYpweixbKasPqO4mO64qdsXreZTA7ZHyL yvMBdpBTpssQ3iVv4QJGcm22hssFCi5sh3/N5rOi7ZtgEGsLC2RbPFdKo4HPCQDfa0D4 LA6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=7wUgB1dRjU6/+eFjwFHTANQu+ic7Dy7EWy3+cTOIz0Y=; b=5ZtjN8DPb96DMmLp4qn1m7L+LXn9qdbimUUYBAd4otphMt+TWIc9Qnhzo9JQKo+RVM Ds4/m31fWvOHIV5WaQC0HHJALYFHmqQ0c7NvDPqq5d0LrNfnjBnaXyKJoNWgT3sKfdYr 3QdavdWER3bE9Mh0V52NilFMfM8A+0gnz8vRUse5nl75EMnZZzdOp7LxQFpa+mbHrw7f eIwHuE3Y5FPJkZj2DWaYuJ1mPTfLx4ZiIScbEYDRiFmeVH1M55KUZMe0KM1QgkshA4pd BQK9hzymPfnPy7B4EgB7lrqlrGgkWYFa63KXBvwsPBEnPFL+hLDn3vsIpSwokILsUXFX xH2Q== X-Gm-Message-State: ACgBeo0k/ZYssb4jP4XkrizQa6D3wMcAgF7Gc0SX4/ZTRyxzPttJxqWZ dAjIUekowaJppllo3SNyKfQyzyqVNmeDUVpZpIJ0 X-Google-Smtp-Source: AA6agR6AxsfZpdcBXlrKQIpyKWJZdaiNH1nuBz29aeBvGBp77p+jqo+BBEdP58dCAql7NNzw8Zch6kTiW0lJ65Yi4B8= X-Received: by 2002:aca:b7d5:0:b0:343:c478:91c6 with SMTP id h204-20020acab7d5000000b00343c47891c6mr4062449oif.136.1660935068420; Fri, 19 Aug 2022 11:51:08 -0700 (PDT) MIME-Version: 1.0 References: <20220708093451.472870-1-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Fri, 19 Aug 2022 14:50:57 -0400 Message-ID: Subject: Re: [RFC PATCH RESEND] userfaultfd: open userfaultfds with O_RDONLY To: Ondrej Mosnacek , Alexander Viro , linux-fsdevel@vger.kernel.org Cc: Andrew Morton , Andrea Arcangeli , Peter Xu , David Hildenbrand , Lokesh Gidra , linux-mm@kvack.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, "Robert O'Callahan" Content-Type: text/plain; charset="UTF-8" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660935069; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7wUgB1dRjU6/+eFjwFHTANQu+ic7Dy7EWy3+cTOIz0Y=; b=K64wpztpwRSnDt40XD4oxKitOLG1XmopAFI6Mc6Tx0lGplszl7J/0oTBh5StUwP3D5R+Qv gcTf9rdr9pTjh7JWb9JGgO5eG+qNG15iAvROczgZYfN4KIjIitmGQ94+QpNlx9FTFYKsgR laTHoPJ2WUbK7PrMw9iqZTnyKaaC5Cs= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=YA8lduBF; dmarc=none; spf=none (imf22.hostedemail.com: domain of paul@paul-moore.com has no SPF policy when checking 209.85.167.180) smtp.mailfrom=paul@paul-moore.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660935069; a=rsa-sha256; cv=none; b=VVEkqEqxLmNXgK181O4/7VkD7FnGNXPr5a2yH32JnogWqPxJWHg/2ohzTwjCcTw7ArFZo1 MDRcazmNU74edS2S0XjPP3ufQCAm+IZtvrsTmunSAjqMDspOFN5MSGPGNNHYR30rjcYqxS KLmXfgcXwNEdcNV74i25mZd6xHQL/tI= X-Rspamd-Queue-Id: 4D284C0019 X-Rspam-User: Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=YA8lduBF; dmarc=none; spf=none (imf22.hostedemail.com: domain of paul@paul-moore.com has no SPF policy when checking 209.85.167.180) smtp.mailfrom=paul@paul-moore.com X-Rspamd-Server: rspam04 X-Stat-Signature: sp5i1pk4ofsrqjqup3aozt3gei5e9u5u X-HE-Tag: 1660935069-385288 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Aug 16, 2022 at 6:12 PM Paul Moore wrote: > On Fri, Jul 8, 2022 at 5:35 AM Ondrej Mosnacek wrote: > > > > Since userfaultfd doesn't implement a write operation, it is more > > appropriate to open it read-only. > > > > When userfaultfds are opened read-write like it is now, and such fd is > > passed from one process to another, SELinux will check both read and > > write permissions for the target process, even though it can't actually > > do any write operation on the fd later. > > > > Inspired by the following bug report, which has hit the SELinux scenario > > described above: > > https://bugzilla.redhat.com/show_bug.cgi?id=1974559 > > > > Reported-by: Robert O'Callahan > > Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") > > Signed-off-by: Ondrej Mosnacek > > --- > > > > Resending as the last submission was ignored for over a year... > > > > https://lore.kernel.org/lkml/20210624152515.1844133-1-omosnace@redhat.com/T/ > > > > I marked this as RFC, because I'm not sure if this has any unwanted side > > effects. I only ran this patch through selinux-testsuite, which has a > > simple userfaultfd subtest, and a reproducer from the Bugzilla report. > > > > Please tell me whether this makes sense and/or if it passes any > > userfaultfd tests you guys might have. > > > > fs/userfaultfd.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > VFS folks, any objection to this patch? It seems reasonable to me and > I'd really prefer this to go in via the vfs tree, but I'm not above > merging this via the lsm/next tree to get someone in vfs land to pay > attention to this ... Okay, final warning, if I don't see any objections to this when I make my patch sweep next week I'm going to go ahead and merge this via the LSM tree. > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > > index e943370107d0..8ccf00be63e1 100644 > > --- a/fs/userfaultfd.c > > +++ b/fs/userfaultfd.c > > @@ -989,7 +989,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new, > > int fd; > > > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new, > > - O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > > + O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > > if (fd < 0) > > return fd; > > > > @@ -2090,7 +2090,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > > mmgrab(ctx->mm); > > > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx, > > - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > > + O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > > if (fd < 0) { > > mmdrop(ctx->mm); > > kmem_cache_free(userfaultfd_ctx_cachep, ctx); > > -- > > 2.36.1 > > -- > paul-moore.com -- paul-moore.com