Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp982086img; Mon, 18 Mar 2019 20:08:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqzu+OskFuspxrCeLoDhcASBLSha5zUGKFaYzQgHR02p0by1bGGv+Jz190OB+LE1SISPG96i X-Received: by 2002:a63:2bcd:: with SMTP id r196mr10890pgr.355.1552964910968; Mon, 18 Mar 2019 20:08:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552964910; cv=none; d=google.com; s=arc-20160816; b=agOXJHghw87BkWhuECGSzmk4CzR4qee619t1O6MxYIhSeELQY9zKe1aAi15V+FXUXl dNrPs1HsTbmYXYlCbSlK+npB6j4ph/Pw1tJ1B6O7sWIgxbVWJw1tpV/lZ5sued5eJ95x MwPg9KOeNecgvF3kIltxj21DxCnfmMcwCx/UNobkElIqeUOJWT6bT9lt1HXk6bWl832d sR/fFOs9N5RZ1JAkeo8cAr1HlTCl83tayXajDVaZkeMTSzlrVvm7FajVtKs0n3MB0UQ7 wnic9MW8gLAaOEERfXEFARDS8BSbL6lUduEHokD8xRgUDB6RFPVlkHTIZpordeDlYuup 0zBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=cqg0tDoTWXlWdI4/wgOCYEKFFzITe9p6s/mFURDTDew=; b=DkCK3rqGjwwuxDfZfXJiRTN/hXdlhmcxIh4XYWOuVYvMv+t7rRyovDreaJ5zZ8yB24 uGkRRXQCL3aIfL4kfI4+iWOG3XOZYmwt0Pxju6Wd4dyuh8WA/nJXwfWuZElhCVYwo/1g g03hid+1aGdvVQh3u0K1YF0cOcFKKKKSZVuQbFqLl9Qjg5QfR3MBB8YVG7TdoGC0fYvZ sKI8pBjmc875qKacZqH1VhEIwG+PoJ9kx+cO/CC/YK6niloqYmdGjym6xkL1l51ivFvI Qe8L4g7zLKV66Y9eS5hE3kmc62Gdgnfk87xgKM4zwvuc/Fur8AKgT/tWand3d8XgIQB2 +40A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6si10744291pgo.409.2019.03.18.20.08.15; Mon, 18 Mar 2019 20:08:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727480AbfCSDHh (ORCPT + 99 others); Mon, 18 Mar 2019 23:07:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36896 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726639AbfCSDHh (ORCPT ); Mon, 18 Mar 2019 23:07:37 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0353A308425C; Tue, 19 Mar 2019 03:07:36 +0000 (UTC) Received: from xz-x1.nay.redhat.com (dhcp-14-116.nay.redhat.com [10.66.14.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id 85F6A5D707; Tue, 19 Mar 2019 03:07:23 +0000 (UTC) From: Peter Xu To: linux-kernel@vger.kernel.org Cc: Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , Maya Gokhale , Jerome Glisse , Pavel Emelyanov , Johannes Weiner , peterx@redhat.com, Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Mike Kravetz , Andrea Arcangeli , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Dr . David Alan Gilbert" , Andrew Morton Subject: [PATCH v2 0/1] userfaultfd: allow to forbid unprivileged users Date: Tue, 19 Mar 2019 11:07:21 +0800 Message-Id: <20190319030722.12441-1-peterx@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Tue, 19 Mar 2019 03:07:36 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, This is the second version of the work. V1 was here: https://lkml.org/lkml/2019/3/11/207 I removed CC to kvm list since not necessary any more, but added linux-api to the list as suggested by Kirill. This one greatly simplifies the previous version, dropped the kvm special entry and mimic the sysctl_unprivileged_bpf_disabled knob for userfaultfd as suggested by many. The major differences comparing to the BPF flag are: (1) use PTRACE instead of ADMIN capability, and (2) allow to switch the flag back and forth (BPF does not allow to switch back to "enabled" if "disabled" once). So the main idea of this simpler version is that we still keep the old way as is by default but we only provide a way for admins when they really want to turn userfaultfd off for unprivileged users. About procfs vs sysfs: I still used the procfs way because admins can still leverage sysctl.conf with that and also since no one yet explicitly asked for sysfs for a better reason yet (And I just noticed BPF just added another bpf_stats_enabled into sysctl a few weeks ago). Please have a look, thanks. Peter Xu (1): userfaultfd/sysctl: add vm.unprivileged_userfaultfd Documentation/sysctl/vm.txt | 12 ++++++++++++ fs/userfaultfd.c | 5 +++++ include/linux/userfaultfd_k.h | 2 ++ kernel/sysctl.c | 12 ++++++++++++ 4 files changed, 31 insertions(+) -- 2.17.1