An epoll fd may be inherited during fork and execve, allowing processes to currently pass capabilities to each other via epoll_event->data. However, the CHERI security model does not allow sharing capabilities via any form of IPC [1]. Therefore we should restrict when capabilities can be passed.
Add a TODO to revisit this in the future.
It's worth noting that kqueue/epoll-shim in CheriBSD likely suffers from the same problem.
[1] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-ca...
Signed-off-by: Kristina Martsenko kristina.martsenko@arm.com --- fs/eventpoll.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 8a1d3b3fe9c9..5dce236cf3ec 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2179,6 +2179,9 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds, * The following function implements the controller interface for * the eventpoll file that enables the insertion/removal/change of * file descriptors inside the interest set. + * + * TODO [PCuABI] - restrict passing capabilities between processes via + * epoll_ctl/epoll_wait */ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, struct epoll_event __user *, event)