From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 259A6C3ABB2 for ; Wed, 28 May 2025 20:29:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A5FD16B0083; Wed, 28 May 2025 16:29:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A38026B0088; Wed, 28 May 2025 16:29:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 94E526B0089; Wed, 28 May 2025 16:29:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 756386B0083 for ; Wed, 28 May 2025 16:29:46 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id E6DE41416D6 for ; Wed, 28 May 2025 20:29:45 +0000 (UTC) X-FDA: 83493457530.19.1017789 Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by imf09.hostedemail.com (Postfix) with ESMTP id F270A14000C for ; Wed, 28 May 2025 20:29:43 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=FEnKW0lT; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf09.hostedemail.com: domain of dmatlack@google.com designates 209.85.167.41 as permitted sender) smtp.mailfrom=dmatlack@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748464184; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=YAQTz4gs0qjYnO6FgGT3yFTm8XMDLPUsfY93F9OnJmM=; b=f6zxjyZl47gjHWPAn5ivp2+uJ6MpN2Vjc0sJo/k1yeabkYBoWEcEqFXAvocpKCiaT3lER3 1Wmvl3GsZWu5TY0nLgK6jRefx6VZZVwLmlP7stJT4zGI04UQkMAHULbAGwI8dNeBreCbUm aLJMjO7+z1ssSafnY1I2pfLhAterOnI= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=FEnKW0lT; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf09.hostedemail.com: domain of dmatlack@google.com designates 209.85.167.41 as permitted sender) smtp.mailfrom=dmatlack@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748464184; a=rsa-sha256; cv=none; b=cAVjneAUNePR3s9B01P1HYwddC8RqpqcOAT/3T+u1KnoZyEkSOKGE3IFQ/YsJmMuB+5rz+ BaR6Vkr/rK3g03oxWYGm92C5UgUF25GSw558ej7UKG+ANz4Tx0JghwG7bCRwMEF7KoR5gK ibPVoXTV0wIpmJT1SDS3ChBkrA0w3K0= Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-55324062ea8so205098e87.3 for ; Wed, 28 May 2025 13:29:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1748464182; x=1749068982; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YAQTz4gs0qjYnO6FgGT3yFTm8XMDLPUsfY93F9OnJmM=; b=FEnKW0lTaITeINapIjOx0obDPistcnF2s3AVU6lEwKlP4t+JJ2Bt1kBKqo8XUeCbQ1 G6ejNMArFVujSV+GKTPzZUjsmtuAqKAn9Nia192HNKl/dyWl7vqNFxdfJvPVphEluAhE e8m9u4qY7KnHKjWj1/M4Az25l7PE86g3KOkF+NQHf81eKJlKAyjBt3j+ZQ9ChbvQxu/2 oNz+cxP8ZV0Bd1vBtqbjuogzsnJEN3fAFY7cVJ5MSnM/UtZu2uVq3VsVcu314qreIB5m N8Np+b06eQOFtz3KSg8dA6L6yqKWcioaUdhQGHgKz2er/2z7Jve2Nk3TxrNRqyMrfmZC FQqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748464182; x=1749068982; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YAQTz4gs0qjYnO6FgGT3yFTm8XMDLPUsfY93F9OnJmM=; b=r9PqLSj85qBciyzoowr5L1RqTKqLjDPVJz3CpXprsOttlvKok8cX0hg07NKPDrqN/W Rc1xSG9CLNQWlB4nXgG4bKrE2JRMqe9brPq1au2+qCMVp6cwp7OpDboh8nJcMFp3Cre+ pjpzhOwQ3Wyr2igOiNurJ7TivAJEzkjrWsTbehD4+1OAglgED7PDMwftI8PbsYsd4ZEQ GAYXIHXiqxPSgnGLp8sRpMaPqauHATer+v92uZZ80rDpQM6aDrgLDsm5xMM15JD4SHwb 3SHC7DhtyRg/eDJoV7CUFNM0UnbhxfmkL5GPNI/q/1cwgB0ezyWzMkalkU3oLzdd7ywQ 5iYw== X-Forwarded-Encrypted: i=1; AJvYcCUwlsIiWYblo+ZU59yYelvmHMQ+23roEnu+qMhzFk/jO3kUsYlqCuSZctFtwoJVM2C/pdoJTiXcmg==@kvack.org X-Gm-Message-State: AOJu0YxP/SkZxfEWJeY7i9K8vmYGnIJTNmdPSamTjkKKoUPkBGjyDgr/ vky8TueVVjGG60xcvb1vvJ4xrxoBVXEDdmKI3IegX6CrAjnCrVP+qIvx7l16Xc2a8N+jcCgdh3I lngNA/dBBxcoDCwTA52+79omV7L8Ohu/WqXMdHh+N X-Gm-Gg: ASbGncvMLKPYJK12MLhNP+xjomt+PDLVY5hswVLuOJuOIby5+zUfV5FktacZ4BMl7JQ WgbBGZcrLuWrXV3rOuVLnbWsnozmJ3GSIs7s32KnmYBUhR3RLl0NGYci5ip2xB/OTdxvFtXOr5E LSEVXB6n8lc7NBj/IWffeMf71O8Q3trO8eEACCp0CZVTU= X-Google-Smtp-Source: AGHT+IF45STyrs34elU44CUwMCYWgaMk1iP9fwetArWutXYXe6915Ne5pggJH8TEQNxrkcCcU+Zu5CZn4NKDFdXs8YM= X-Received: by 2002:ac2:568b:0:b0:553:24bf:2287 with SMTP id 2adb3069b0e04-55324bf24f9mr3571266e87.11.1748464181753; Wed, 28 May 2025 13:29:41 -0700 (PDT) MIME-Version: 1.0 References: <20250515182322.117840-1-pasha.tatashin@soleen.com> <20250515182322.117840-11-pasha.tatashin@soleen.com> In-Reply-To: <20250515182322.117840-11-pasha.tatashin@soleen.com> From: David Matlack Date: Wed, 28 May 2025 13:29:13 -0700 X-Gm-Features: AX0GCFu-az7wXS3tUctrkttv1BpVxbVwipCz3lDeWXiCiQMHX4cL0MiB-XnGYnI Message-ID: Subject: Re: [RFC v2 10/16] luo: luo_ioctl: add ioctl interface To: Pasha Tatashin Cc: pratyush@kernel.org, jasonmiu@google.com, graf@amazon.com, changyuanl@google.com, rppt@kernel.org, rientjes@google.com, corbet@lwn.net, rdunlap@infradead.org, ilpo.jarvinen@linux.intel.com, kanie@linux.alibaba.com, ojeda@kernel.org, aliceryhl@google.com, masahiroy@kernel.org, akpm@linux-foundation.org, tj@kernel.org, yoann.congal@smile.fr, mmaurer@google.com, roman.gushchin@linux.dev, chenridong@huawei.com, axboe@kernel.dk, mark.rutland@arm.com, jannh@google.com, vincent.guittot@linaro.org, hannes@cmpxchg.org, dan.j.williams@intel.com, david@redhat.com, joel.granados@kernel.org, rostedt@goodmis.org, anna.schumaker@oracle.com, song@kernel.org, zhangguopeng@kylinos.cn, linux@weissschuh.net, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, rafael@kernel.org, dakr@kernel.org, bartosz.golaszewski@linaro.org, cw00.choi@samsung.com, myungjoo.ham@samsung.com, yesanishhere@gmail.com, Jonathan.Cameron@huawei.com, quic_zijuhu@quicinc.com, aleksander.lobakin@intel.com, ira.weiny@intel.com, andriy.shevchenko@linux.intel.com, leon@kernel.org, lukas@wunner.de, bhelgaas@google.com, wagi@kernel.org, djeffery@redhat.com, stuart.w.hayes@gmail.com, ptyadav@amazon.de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: F270A14000C X-Stat-Signature: wnphysrkptt8w5u6syx63a9an7x6gbt3 X-Rspam-User: X-HE-Tag: 1748464183-489514 X-HE-Meta: U2FsdGVkX1/iMpw8a6WnTcoU7qwjhmOANj2YKvgTZtFqTDacHlVnzTpX/eD4gKtARgsj54KMLutLTZDVn3ns+DpY2tXaZ5IzpZMZ7TWFJEuUorodc6Lym/OXC02C+qhN5ZNay+76EDCwJmlaMp6cnA8BVpGI74hePYP/2SGEBeIuPKotJPHLCI9882XKTyuvIBlp6X4CrLCO3639YDJtIltbW5s79Ou5wMwkx0eXgR/pTg6I6HU6laagG3sc2KdIlihCoABqICquJd5ap1v7jl4ol8JfJr+amNMHa5tOgywJkukehWGR/ic0dprQUD8O+bPb99PrjqgnF3XzvyfmB2hnDNpst5lqcSOUYxlDmbckZhEDVxlwdor3INetxWqoqDNd9jJtPeTK1PpHD6Mik90rm8f45H9tqqwJKhO3r+iqNTX8Hf5nJPBaR8L2t9oeBwe0glLxhiUZqNZzM3SxghdumKRDrqMZ9tNJq6byGvQIJ13hXBJWfham9SatXzUukBGe+j/ANJPvwtMCb3h7gnCi58i710xAeVzaB2IvHY+bn69/huxARLH6HezXXzbVEa9YkgANs61ZlqtgyDq+Lf0GLtWAHdpQSTjSYL5oAOSjDn+YMs6fX9ok5ObedCcOvVu/9ZdCb9iJO15KZvutSc6ZbvpCx18Ely2+EFJz4/GCNLAN2W18unGtHcg0ePnMM3p5Q4/Qc9BbezpkJHoYiU6akHVUMJfZwcGXqZzb3qe0p4KKl8orPyfcHbTon39DxgsdxsSC1Q/F6CF973H821gIiIHGeml6EzaZnKavysVLVNNjo7VCoKSeNU9FEbUMFoztKhSBx9rQoaq9IxaB7m9bG49ZuSHxh5WntiGY/H1E/WrRLtkfc38qCYM4j8fJrF2tVieiDdMNLDJ2o1So56vh65u32tYD91PSVDJ2apZxnEV2dtrjlO/AsCS6Dpu/nGFC6P61UpAHTwATgVG S8Oq5aNd GubG83S3hOtvaGMIHRaIPCXtrGPXPfJ4XT1zfQ+YZy86PQzAJ1MA7/TI0oQC8A4r7bCwQm8vKYW5h+fDinQAfTBkC/sLnVhGoANsMLcC+3WD27Rbrud1jPQlFogilikE4UY4EaKoopTHrETaUJ7NY4Tj/O+ahYlhAdicfzAEJYnHxXFWiLuiQ84BvO/7v4UuO7a/8F8flX4BRyVCAIyDmdSdCkyeF7iySjUV67mqZl5nABBJVwLWnfMf8XfO2eIDQtJlxlQfyHXnX8G6Nw6NX1YjIwAD6IeiYTqj9WfMOGsZCs6EmkRJFfu67+k+oT7gaJ6NRT5kSnMVtQOqsJXDZg5w+Fh3m3IMqbTt1ZeBmHuteMZccmad9Piigag== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, May 15, 2025 at 11:23=E2=80=AFAM Pasha Tatashin wrote: > +static int luo_open(struct inode *inodep, struct file *filep) > +{ > + if (!capable(CAP_SYS_ADMIN)) > + return -EACCES; It makes sense that LIVEUPDATE_IOCTL_EVENT* would require CAP_SYS_ADMIN. But I think requiring it for LIVEUPDATE_IOCTL_FD* will add a lot of complexity. It would essentially require a central userspace process to mediate all preserving/restoring of file descriptors across Live Update to enforce security. If we need a central authority to enforce security, I don't see why that authority can't just be the kernel or what the industry gains by punting the problem to userspace. It seems like all users of LUO are going to want the same security guarantees when it comes to FDs: a FD preserved inside a given "security domain" should not be accessible outside that domain. One way to do this in the kernel would be to have the kernel hand out Live Update security tokens (say, some large random number). Then require userspace to pass in a security token when preserving an FD. Userspace can then only restore or unpreserve an FD if it passes back in the security token associated with the FD. Then it's just up to each userspace process to remember their token across kexec, keep it secret from other untrusted processes, and pass it back in when recovering FDs. All the kernel has to do is generate secure tokens, which I imagine can't be that hard.