On Tue, Nov 5, 2019 at 7:55 AM Daniel Colascione <dancol@xxxxxxxxxx> wrote: > > On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport <rppt@xxxxxxxxxxxxx> wrote: > > > > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file > > descriptor table from the read() implementation of uffd, which may have > > security implications for unprivileged use of the userfaultfd. > > > > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have > > CAP_SYS_PTRACE. > > Thanks. But shouldn't we be doing the capability check at > userfaultfd(2) time (when we do the other permission checks), not > later, in the API ioctl? The ioctl seems reasonable to me. In particular, if there is anyone who creates a userfaultfd as root and then drop permissions, a later ioctl could unexpectedly enable FORK. This assumes that the code in question is only reachable through ioctl() and not write().
