From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=wNtT=Y5=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 778F4C5DF62
	for <linux-mm@archiver.kernel.org>; Tue,  5 Nov 2019 16:00:42 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 32B7D21929
	for <linux-mm@archiver.kernel.org>; Tue,  5 Nov 2019 16:00:42 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="la98BUT4"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 32B7D21929
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id CED996B0010; Tue,  5 Nov 2019 11:00:41 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CC3E26B0266; Tue,  5 Nov 2019 11:00:41 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BD9F96B0269; Tue,  5 Nov 2019 11:00:41 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0084.hostedemail.com [216.40.44.84])
	by kanga.kvack.org (Postfix) with ESMTP id A81246B0010
	for <linux-mm@kvack.org>; Tue,  5 Nov 2019 11:00:41 -0500 (EST)
Received: from smtpin16.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with SMTP id 69F87181AEF1A
	for <linux-mm@kvack.org>; Tue,  5 Nov 2019 16:00:41 +0000 (UTC)
X-FDA: 76122686682.16.pet18_5d3c29f9eb32d
X-HE-Tag: pet18_5d3c29f9eb32d
X-Filterd-Recvd-Size: 3585
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf39.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue,  5 Nov 2019 16:00:40 +0000 (UTC)
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 2CEAE21A4A
	for <linux-mm@kvack.org>; Tue,  5 Nov 2019 16:00:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1572969639;
	bh=q2A2uMxzadSGRcZIaYT5uCotN7hZ7KNQChxEY5lqBfc=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=la98BUT48pfvW+DHwcuadG5iZNz4+oR5/MwjwcYS/q+eLbsi2eyOW1pVLwxPK46Sf
	 BFy0EZhUvBH7RKyVdyf2RuYqHz7s6c22dmVDH/407wHkTmazDieQwp7xJlGSdYwg+g
	 3s796AOR/nqirBqmdk5eAT4jg0/8Alxjmio4Lgpc=
Received: by mail-wr1-f41.google.com with SMTP id a15so22009787wrf.9
        for <linux-mm@kvack.org>; Tue, 05 Nov 2019 08:00:39 -0800 (PST)
X-Gm-Message-State: APjAAAXPyIYzTnLhLsA1ttIfRtih6txy7ZN9P3IUt+qwJ+ddpcsBLMAy
	aGPzeFta2aHcgftYtHZ9ErIyfpsvMGbtstYrHLZnIw==
X-Google-Smtp-Source: APXvYqwIyCPkiSNVSjQruqDSEqU8umadRXv+BsUhkRhMyEyMplXNqV0XB7SqebnrdTOdsyPd4gU2dZ/qQ0spOgjmkRU=
X-Received: by 2002:a5d:51c2:: with SMTP id n2mr28174168wrv.149.1572969637572;
 Tue, 05 Nov 2019 08:00:37 -0800 (PST)
MIME-Version: 1.0
References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com>
 <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> <CAKOZuev93zDGNPX+ySg_jeUg4Z3zKMcpABekUQvHA01kTVn4=A@mail.gmail.com>
In-Reply-To: <CAKOZuev93zDGNPX+ySg_jeUg4Z3zKMcpABekUQvHA01kTVn4=A@mail.gmail.com>
From: Andy Lutomirski <luto@kernel.org>
Date: Tue, 5 Nov 2019 08:00:26 -0800
X-Gmail-Original-Message-ID: <CALCETrX=VmSjD6kLT6tuZQ4Efhc_13vZrw1mo4Z2iKqZTT-bzg@mail.gmail.com>
Message-ID: <CALCETrX=VmSjD6kLT6tuZQ4Efhc_13vZrw1mo4Z2iKqZTT-bzg@mail.gmail.com>
Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK
To: Daniel Colascione <dancol@google.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>, linux-kernel <linux-kernel@vger.kernel.org>, 
	Andrea Arcangeli <aarcange@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Andy Lutomirski <luto@kernel.org>, Jann Horn <jannh@google.com>, 
	Linus Torvalds <torvalds@linux-foundation.org>, Lokesh Gidra <lokeshgidra@google.com>, 
	Nick Kralevich <nnk@google.com>, Nosh Minwalla <nosh@google.com>, Pavel Emelyanov <ovzxemul@gmail.com>, 
	Tim Murray <timmurray@google.com>, Linux API <linux-api@vger.kernel.org>, 
	linux-mm <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Nov 5, 2019 at 7:55 AM Daniel Colascione <dancol@google.com> wrote:
>
> On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport <rppt@linux.ibm.com> wrote:
> >
> > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file
> > descriptor table from the read() implementation of uffd, which may have
> > security implications for unprivileged use of the userfaultfd.
> >
> > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have
> > CAP_SYS_PTRACE.
>
> Thanks. But shouldn't we be doing the capability check at
> userfaultfd(2) time (when we do the other permission checks), not
> later, in the API ioctl?

The ioctl seems reasonable to me.  In particular, if there is anyone
who creates a userfaultfd as root and then drop permissions, a later
ioctl could unexpectedly enable FORK.

This assumes that the code in question is only reachable through
ioctl() and not write().