On Tue, Aug 16, 2022 at 6:12 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Fri, Jul 8, 2022 at 5:35 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > Since userfaultfd doesn't implement a write operation, it is more > > appropriate to open it read-only. > > > > When userfaultfds are opened read-write like it is now, and such fd is > > passed from one process to another, SELinux will check both read and > > write permissions for the target process, even though it can't actually > > do any write operation on the fd later. > > > > Inspired by the following bug report, which has hit the SELinux scenario > > described above: > > https://bugzilla.redhat.com/show_bug.cgi?id=1974559 > > > > Reported-by: Robert O'Callahan <roc@xxxxxxxxxxxxx> > > Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > > > Resending as the last submission was ignored for over a year... > > > > https://lore.kernel.org/lkml/20210624152515.1844133-1-omosnace@xxxxxxxxxx/T/ > > > > I marked this as RFC, because I'm not sure if this has any unwanted side > > effects. I only ran this patch through selinux-testsuite, which has a > > simple userfaultfd subtest, and a reproducer from the Bugzilla report. > > > > Please tell me whether this makes sense and/or if it passes any > > userfaultfd tests you guys might have. > > > > fs/userfaultfd.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > VFS folks, any objection to this patch? It seems reasonable to me and > I'd really prefer this to go in via the vfs tree, but I'm not above > merging this via the lsm/next tree to get someone in vfs land to pay > attention to this ... Okay, final warning, if I don't see any objections to this when I make my patch sweep next week I'm going to go ahead and merge this via the LSM tree. > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > > index e943370107d0..8ccf00be63e1 100644 > > --- a/fs/userfaultfd.c > > +++ b/fs/userfaultfd.c > > @@ -989,7 +989,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new, > > int fd; > > > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new, > > - O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > > + O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); > > if (fd < 0) > > return fd; > > > > @@ -2090,7 +2090,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > > mmgrab(ctx->mm); > > > > fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx, > > - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > > + O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); > > if (fd < 0) { > > mmdrop(ctx->mm); > > kmem_cache_free(userfaultfd_ctx_cachep, ctx); > > -- > > 2.36.1 > > -- > paul-moore.com -- paul-moore.com
