| Message ID | 20200401213903.182112-4-dancol@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | SELinux support for anonymous inodes and UFFD | expand |
On Wed, Apr 01, 2020 at 02:39:03PM -0700, Daniel Colascione wrote: > This change gives userfaultfd file descriptors a real security > context, allowing policy to act on them. > > Signed-off-by: Daniel Colascione <dancol@google.com> > --- > fs/userfaultfd.c | 30 ++++++++++++++++++++++++++---- > 1 file changed, 26 insertions(+), 4 deletions(-) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 37df7c9eedb1..78ff5d898733 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -76,6 +76,8 @@ struct userfaultfd_ctx { > bool mmap_changing; > /* mm with one ore more vmas attached to this userfaultfd_ctx */ > struct mm_struct *mm; > + /* The inode that owns this context --- not a strong reference. */ > + const struct inode *owner; > }; Adding this field seems wrong. There's no reference held to it, so it can only be used if the caller holds a reference to the inode anyway. The only user of this field is via userfafultfd_read(), so why not just use the inode of the struct file passed to userfaultfd_read()? > SYSCALL_DEFINE1(userfaultfd, int, flags) > { > + struct file *file; > struct userfaultfd_ctx *ctx; > int fd; > > @@ -1974,8 +1979,25 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > /* prevent the mm struct to be freed */ > mmgrab(ctx->mm); > > - fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, ctx, > - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS)); > + file = anon_inode_getfile_secure( > + "[userfaultfd]", &userfaultfd_fops, ctx, > + O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), > + NULL); > + if (IS_ERR(file)) { > + fd = PTR_ERR(file); > + goto out; > + } > + > + fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC); > + if (fd < 0) { > + fput(file); > + goto out; > + } > + > + ctx->owner = file_inode(file); > + fd_install(fd, file); > + > +out: > if (fd < 0) { > mmdrop(ctx->mm); > kmem_cache_free(userfaultfd_ctx_cachep, ctx); What's the point of anon_inode_getfile_secure()? anon_inode_getfd_secure() would work here too. - Eric
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 37df7c9eedb1..78ff5d898733 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -76,6 +76,8 @@ struct userfaultfd_ctx { bool mmap_changing; /* mm with one ore more vmas attached to this userfaultfd_ctx */ struct mm_struct *mm; + /* The inode that owns this context --- not a strong reference. */ + const struct inode *owner; }; struct userfaultfd_fork_ctx { @@ -1022,8 +1024,10 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *ctx, { int fd; - fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, new, - O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS)); + fd = anon_inode_getfd_secure( + "[userfaultfd]", &userfaultfd_fops, new, + O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), + ctx->owner); if (fd < 0) return fd; @@ -1945,6 +1949,7 @@ static void init_once_userfaultfd_ctx(void *mem) SYSCALL_DEFINE1(userfaultfd, int, flags) { + struct file *file; struct userfaultfd_ctx *ctx; int fd; @@ -1974,8 +1979,25 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) /* prevent the mm struct to be freed */ mmgrab(ctx->mm); - fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, ctx, - O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS)); + file = anon_inode_getfile_secure( + "[userfaultfd]", &userfaultfd_fops, ctx, + O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), + NULL); + if (IS_ERR(file)) { + fd = PTR_ERR(file); + goto out; + } + + fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC); + if (fd < 0) { + fput(file); + goto out; + } + + ctx->owner = file_inode(file); + fd_install(fd, file); + +out: if (fd < 0) { mmdrop(ctx->mm); kmem_cache_free(userfaultfd_ctx_cachep, ctx);
This change gives userfaultfd file descriptors a real security context, allowing policy to act on them. Signed-off-by: Daniel Colascione <dancol@google.com> --- fs/userfaultfd.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-)