Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK

From: Andy Lutomirski
Date: Tue Nov 05 2019 - 11:00:42 EST

Next message: Chuhong Yuan: "[PATCH v2] rtc: brcmstb-waketimer: add missed clk_disable_unprepare"
Previous message: Aleksa Sarai: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
In reply to: Daniel Colascione: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
Next in thread: Daniel Colascione: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 5, 2019 at 7:55 AM Daniel Colascione <dancol@xxxxxxxxxx> wrote:
>
> On Tue, Nov 5, 2019 at 7:29 AM Mike Rapoport <rppt@xxxxxxxxxxxxx> wrote:
> >
> > Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file
> > descriptor table from the read() implementation of uffd, which may have
> > security implications for unprivileged use of the userfaultfd.
> >
> > Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have
> > CAP_SYS_PTRACE.
>
> Thanks. But shouldn't we be doing the capability check at
> userfaultfd(2) time (when we do the other permission checks), not
> later, in the API ioctl?

The ioctl seems reasonable to me. In particular, if there is anyone
who creates a userfaultfd as root and then drop permissions, a later
ioctl could unexpectedly enable FORK.

This assumes that the code in question is only reachable through
ioctl() and not write().

Next message: Chuhong Yuan: "[PATCH v2] rtc: brcmstb-waketimer: add missed clk_disable_unprepare"
Previous message: Aleksa Sarai: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
In reply to: Daniel Colascione: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
Next in thread: Daniel Colascione: "Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]