On Aug 1, 2022, at 10:13 AM, Axel Rasmussen axelrasmussen@google.com wrote:
⚠ External Email
I finished up some other work and got around to writing a v5 today, but I ran into a problem with /proc/[pid]/userfaultfd.
Files in /proc/[pid]/* are owned by the user/group which started the process, and they don't support being chmod'ed.
For the userfaultfd device, I think we want the following semantics:
- For UFFDs created via the device, we want to always allow handling
kernel mode faults
- For security, the device should be owned by root:root by default, so
unprivileged users don't have default access to handle kernel faults
- But, the system administrator should be able to chown/chmod it, to
grant access to handling kernel faults for this process more widely.
It could be made to work like that but I think it would involve at least:
- Special casing userfaultfd in proc_pid_make_inode
- Updating setattr/getattr for /proc/[pid] to meaningfully store and
then retrieve uid/gid different from the task's, again probably special cased for userfautlfd since we don't want this behavior for other files
It seems to me such a change might raise eyebrows among procfs folks. Before I spend the time to write this up, does this seem like something that would obviously be nack'ed?
[ Please avoid top-posting in the future ]
I have no interest in making your life harder than it should be. If you cannot find a suitable alternative, I will not fight against it.
How about this alternative: how about following KVM usage-model?
IOW: You open /dev/userfaultfd, but this is not the file-descriptor that you use for most operations. Instead you first issue an ioctl - similarly to KVM_CREATE_VM - to get a file-descriptor for your specific process. You then use this new file-descriptor to perform your operations (read/ioctl/etc).
This would make the fact that ioctls/reads from different processes refer to different contexts (i.e., file-descriptors) much more natural.
Does it sound better?