On Tue, Nov 5, 2019 at 8:33 AM Andrea Arcangeli <aarcange@xxxxxxxxxx> wrote: > > On Tue, Nov 05, 2019 at 08:06:49AM -0800, Daniel Colascione wrote: > > Sure, but the same argument applies to all the other permission checks > > that we do at open time, not at ioctl time. For better or for worse, > > the DAC-ish model used in most places is that access checks happen at > > file object creation time and anyone who has the FD can perform those > > operations later. Confusing the model by doing *some* permission > > checks at open time and *some* permission checks at usage time makes > > the system harder to understand. > > The only case that requires change is if userland requested the > UFFD_FEATURE_EVENT_FORK feature (which AFIK only CRIU does) and that > request is done in the UFFDIO_API call not during the syscall. > > Doing the check in the syscall would then break all non privileged > users like if we'd set /proc/sys/vm/unprivileged_userfaultfd to > zero. I'm not suggesting that we fail userfaultfd(2) without CAP_SYS_PTRACE. That would, as you point out, break things. I'm talking about recording *whether* we had CAP_SYS_PTRACE in an internal flag in the uffd context when we create the thing --- and then, at ioctl time, checking that flag, not the caller's CAP_SYS_PTRACE, to see whether UFFD_FEATURE_EVENT_FORK should be made available. This way, the security check hinges on whether the caller *at create time* was privileged.
