| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Aug 2022 19:53:35 +0000
From: Nadav Amit <namit@...are.com>
To: Axel Rasmussen <axelrasmussen@...gle.com>
CC: "Schaufler, Casey" <casey.schaufler@...el.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Dmitry V . Levin" <ldv@...linux.org>,
Gleb Fotengauer-Malinovskiy <glebfm@...linux.org>,
Hugh Dickins <hughd@...gle.com>, Jan Kara <jack@...e.cz>,
Jonathan Corbet <corbet@....net>,
Mel Gorman <mgorman@...hsingularity.net>,
Mike Kravetz <mike.kravetz@...cle.com>,
Mike Rapoport <rppt@...nel.org>, Peter Xu <peterx@...hat.com>,
Shuah Khan <shuah@...nel.org>,
Suren Baghdasaryan <surenb@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>,
zhangyi <yi.zhang@...wei.com>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [PATCH v4 0/5] userfaultfd: add /dev/userfaultfd for fine grained
access control
On Aug 1, 2022, at 10:13 AM, Axel Rasmussen <axelrasmussen@...gle.com> wrote:
> ⚠ External Email
>
> I finished up some other work and got around to writing a v5 today,
> but I ran into a problem with /proc/[pid]/userfaultfd.
>
> Files in /proc/[pid]/* are owned by the user/group which started the
> process, and they don't support being chmod'ed.
>
> For the userfaultfd device, I think we want the following semantics:
> - For UFFDs created via the device, we want to always allow handling
> kernel mode faults
> - For security, the device should be owned by root:root by default, so
> unprivileged users don't have default access to handle kernel faults
> - But, the system administrator should be able to chown/chmod it, to
> grant access to handling kernel faults for this process more widely.
>
> It could be made to work like that but I think it would involve at least:
>
> - Special casing userfaultfd in proc_pid_make_inode
> - Updating setattr/getattr for /proc/[pid] to meaningfully store and
> then retrieve uid/gid different from the task's, again probably
> special cased for userfautlfd since we don't want this behavior for
> other files
>
> It seems to me such a change might raise eyebrows among procfs folks.
> Before I spend the time to write this up, does this seem like
> something that would obviously be nack'ed?
[ Please avoid top-posting in the future ]
I have no interest in making your life harder than it should be. If you
cannot find a suitable alternative, I will not fight against it.
How about this alternative: how about following KVM usage-model?
IOW: You open /dev/userfaultfd, but this is not the file-descriptor that you
use for most operations. Instead you first issue an ioctl - similarly to
KVM_CREATE_VM - to get a file-descriptor for your specific process. You then
use this new file-descriptor to perform your operations (read/ioctl/etc).
This would make the fact that ioctls/reads from different processes refer to
different contexts (i.e., file-descriptors) much more natural.
Does it sound better?
Powered by blists - more mailing lists