On Tue, Nov 05, 2019 at 08:06:49AM -0800, Daniel Colascione wrote: > Sure, but the same argument applies to all the other permission checks > that we do at open time, not at ioctl time. For better or for worse, > the DAC-ish model used in most places is that access checks happen at > file object creation time and anyone who has the FD can perform those > operations later. Confusing the model by doing *some* permission > checks at open time and *some* permission checks at usage time makes > the system harder to understand. The only case that requires change is if userland requested the UFFD_FEATURE_EVENT_FORK feature (which AFIK only CRIU does) and that request is done in the UFFDIO_API call not during the syscall. Doing the check in the syscall would then break all non privileged users like if we'd set /proc/sys/vm/unprivileged_userfaultfd to zero. Qemu for example rightfully never runs with privilege (with a few exceptions like Kata which should be fixed in fact) and it never asks for the UFFD_FEATURE_EVENT_FORK feature either.
