On Sun, Jan 10, 2016 at 10:51:52PM +0300, Konstantin Khlebnikov wrote: > On Sun, Jan 10, 2016 at 10:30 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > On Sun, Jan 10, 2016 at 06:48:32PM +0300, Konstantin Khlebnikov wrote: > >> I think this should be done in mmap/mprotect. Code in sys_mmap is trivial. > >> > >> In sys_mprotect you can check file_needs_remove_privs() and VM_SHARED > >> under mmap_sem, then if needed grab reference to struct file from vma and > >> clear suid after unlocking mmap_sem. > > > > Which vma? mprotect(2) can cover more than one mapping... You'd have to > > play interesting games to collect the set of affected struct file; it > > _might_ be doable (e.g. by using task_work_add() to have the damn thing > > trigger on the way to userland), but it would require some care to avoid > > hitting the same file more than once - it might, after all, be mmapped > > in more than one process, so racing mprotect() would need to be taken > > into account. Hell knows - might be doable, but I'm not sure it'll be > > any prettier. > > Ok, I didn't thought about that. mprotect don't have to be atomic for whole > range -- we could drop mmap_sem, clear suid from one file and restart it > for next vma and so on. Won't be fun. Even aside of the user-visible behaviour changes, you'll have a lot of new corner cases, starting with the fact that you can't hold onto vma - virtual address is the best you can do and vma you find after regaining mmap_sem might start at lower address than one where you are restarting; getting the splitting-related logics right will be interesting, to put it mildly. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>