On Aug 1, 2022, at 10:13 AM, Axel Rasmussen <axelrasmussen@xxxxxxxxxx> wrote: > ⚠ External Email > > I finished up some other work and got around to writing a v5 today, > but I ran into a problem with /proc/[pid]/userfaultfd. > > Files in /proc/[pid]/* are owned by the user/group which started the > process, and they don't support being chmod'ed. > > For the userfaultfd device, I think we want the following semantics: > - For UFFDs created via the device, we want to always allow handling > kernel mode faults > - For security, the device should be owned by root:root by default, so > unprivileged users don't have default access to handle kernel faults > - But, the system administrator should be able to chown/chmod it, to > grant access to handling kernel faults for this process more widely. > > It could be made to work like that but I think it would involve at least: > > - Special casing userfaultfd in proc_pid_make_inode > - Updating setattr/getattr for /proc/[pid] to meaningfully store and > then retrieve uid/gid different from the task's, again probably > special cased for userfautlfd since we don't want this behavior for > other files > > It seems to me such a change might raise eyebrows among procfs folks. > Before I spend the time to write this up, does this seem like > something that would obviously be nack'ed? [ Please avoid top-posting in the future ] I have no interest in making your life harder than it should be. If you cannot find a suitable alternative, I will not fight against it. How about this alternative: how about following KVM usage-model? IOW: You open /dev/userfaultfd, but this is not the file-descriptor that you use for most operations. Instead you first issue an ioctl - similarly to KVM_CREATE_VM - to get a file-descriptor for your specific process. You then use this new file-descriptor to perform your operations (read/ioctl/etc). This would make the fact that ioctls/reads from different processes refer to different contexts (i.e., file-descriptors) much more natural. Does it sound better?
