From patchwork Fri Jul 8 09:34:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12910800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7D12C43334 for ; Fri, 8 Jul 2022 09:34:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1B6286B0071; Fri, 8 Jul 2022 05:34:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 166EB6B0073; Fri, 8 Jul 2022 05:34:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 055058E0001; Fri, 8 Jul 2022 05:34:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id E89216B0071 for ; Fri, 8 Jul 2022 05:34:56 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id C25E5341EA for ; Fri, 8 Jul 2022 09:34:56 +0000 (UTC) X-FDA: 79663423392.25.A5A0C55 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf23.hostedemail.com (Postfix) with ESMTP id 3F67C140032 for ; Fri, 8 Jul 2022 09:34:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1657272895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sMFHzJKRiYj62gdYRhno9WSMM22FrLKbwCUpBPEktWM=; b=bCvyEzC53qDveupISkYfFDOap37I9aSjw+CKk1UR52Io4oXq87fMokavGSyFQmR+/mgBRJ UWVDUC1WRpbrYD/Hy57CP86U6kCG4IB6hF+rs3A06fLNFXRjhceKfTOAQg5vFC10ko7bs+ Fw+MrSsPX+qf8Q9JjilkSAqbeHSxvvQ= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-553-gR6gAt6dMgSD3pJ3B0L87g-1; Fri, 08 Jul 2022 05:34:54 -0400 X-MC-Unique: gR6gAt6dMgSD3pJ3B0L87g-1 Received: by mail-ed1-f70.google.com with SMTP id j6-20020a05640211c600b0043a8ea2c138so5128670edw.2 for ; Fri, 08 Jul 2022 02:34:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=sMFHzJKRiYj62gdYRhno9WSMM22FrLKbwCUpBPEktWM=; b=Z1wo89+jFLP12nBZGmy/midh0E6O9qwHVTjwPclR8TI2L5znyD3CbGhqalTZyyN9H1 J57MiuMezadky769UyFFjX0X0N391EAV2YOBgGSwTw4ypAeN/2WB/d2Y2k2OpayD2tPz N3KVKjT62sT95lHs255i/I7B+BmwD/2zBUiquezuHf1itE8JZkD+N6e40miR1Bd2RUzU TwOBv8Pdu+fMJBTIfjqITc5T8jCekTSQ9HzjIGFORG2dzwhHKuyQNtdExxIGCf5gEq+R GXL6P4eUpeQO5WbQEKRSv7bnQbugBBvdmPESzFTcd2pV7YZRzLIB7vrZEqXAcku0LgqR /OaQ== X-Gm-Message-State: AJIora9NWOn5nwMVc2jElk/e7IVEDiBi0lZG6oBYJjHtq38xeS0vxJNT Mt8A8sUTo3I9weDKrX3RDEBq6g5Uw+yHrVnsEg4KcGycMW9kz5KjmLp9c9e1mzjwU12Kwr/e5e1 DRFO0/beqTss= X-Received: by 2002:a17:907:2895:b0:72a:f3bd:6e5f with SMTP id em21-20020a170907289500b0072af3bd6e5fmr2545875ejc.767.1657272893407; Fri, 08 Jul 2022 02:34:53 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vqzsj8D95ygzAuhY0cpDJI7xEx8WuoI4Z9hfBmeRv2uPXFteeEPUMGrkSiqA1aqHu8V5VEjQ== X-Received: by 2002:a17:907:2895:b0:72a:f3bd:6e5f with SMTP id em21-20020a170907289500b0072af3bd6e5fmr2545851ejc.767.1657272893155; Fri, 08 Jul 2022 02:34:53 -0700 (PDT) Received: from localhost.localdomain (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id j24-20020aa7de98000000b00435726bd375sm29359084edv.57.2022.07.08.02.34.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Jul 2022 02:34:52 -0700 (PDT) From: Ondrej Mosnacek To: Alexander Viro , Andrew Morton Cc: Andrea Arcangeli , Peter Xu , David Hildenbrand , Lokesh Gidra , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, Robert O'Callahan Subject: [RFC PATCH RESEND] userfaultfd: open userfaultfds with O_RDONLY Date: Fri, 8 Jul 2022 11:34:51 +0200 Message-Id: <20220708093451.472870-1-omosnace@redhat.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657272896; a=rsa-sha256; cv=none; b=L3nBBW7D3eJnAJkKKMZ7Nz5KyR5HPQKmo0SxPBpNm/G1jMgvJkNqYQfqQDwkQtjS8ulTW+ yUEy+HxtzwCPCn84A2kNpOFOXZGDJCGU4ObZ/DS0C9MQV2hi5Tp6taGeeQK+DhHTRs7mr7 XNQEijV97JjFiPUvoPNT/OqtG159DzI= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=bCvyEzC5; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf23.hostedemail.com: domain of omosnace@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=omosnace@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1657272896; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=sMFHzJKRiYj62gdYRhno9WSMM22FrLKbwCUpBPEktWM=; b=CNYTSZTZRwo262hGjHf2W4blbx0Mbebqb0F1vqPHv8gkyt/Vr1zYH+o+pQ9ilLZdrkgX/e pkoT77JQPCYGLQcRzXEWf6hi1wh7uQIu2v7Xxq7YD14quc1KovxUl98NgnCkY7Hzw6JmJo rwGtf46mTfvBEUOyn70trB7vFapKDck= X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 3F67C140032 Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=bCvyEzC5; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf23.hostedemail.com: domain of omosnace@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=omosnace@redhat.com X-Stat-Signature: ry7iacfjekhxqp9jxbirk1s6o18f43ax X-Rspam-User: X-HE-Tag: 1657272896-398296 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Since userfaultfd doesn't implement a write operation, it is more appropriate to open it read-only. When userfaultfds are opened read-write like it is now, and such fd is passed from one process to another, SELinux will check both read and write permissions for the target process, even though it can't actually do any write operation on the fd later. Inspired by the following bug report, which has hit the SELinux scenario described above: https://bugzilla.redhat.com/show_bug.cgi?id=1974559 Reported-by: Robert O'Callahan Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") Signed-off-by: Ondrej Mosnacek Acked-by: Peter Xu Acked-by: Christian Brauner (Microsoft) --- Resending as the last submission was ignored for over a year... https://lore.kernel.org/lkml/20210624152515.1844133-1-omosnace@redhat.com/T/ I marked this as RFC, because I'm not sure if this has any unwanted side effects. I only ran this patch through selinux-testsuite, which has a simple userfaultfd subtest, and a reproducer from the Bugzilla report. Please tell me whether this makes sense and/or if it passes any userfaultfd tests you guys might have. fs/userfaultfd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index e943370107d0..8ccf00be63e1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -989,7 +989,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new, int fd; fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new, - O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); + O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); if (fd < 0) return fd; @@ -2090,7 +2090,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) mmgrab(ctx->mm); fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx, - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); + O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); if (fd < 0) { mmdrop(ctx->mm); kmem_cache_free(userfaultfd_ctx_cachep, ctx);