Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp61912img; Thu, 21 Mar 2019 14:08:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2Ob5/jdYrndjKKE1FVKLBUXV8AqRe8SimsUEvbuFexdvBm5RAxTX4YbBmZHuqPMDnspWv X-Received: by 2002:a63:441b:: with SMTP id r27mr5148988pga.36.1553202487465; Thu, 21 Mar 2019 14:08:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553202487; cv=none; d=google.com; s=arc-20160816; b=dxUXPrxTa3o1Ud49gt7EA02P9xk2URgUx29iVl68ctlWQw1UlR6SpT0ohVJRnE+6kE XNZv9kRxSB1A+ms1gfRTQB4RMmMmCb9+3cnKYBhG4n0Fjsz0/3ypl5utqQQRy8acgVsC EgJEkK+PFxxwWksPbg3InXPt1TerxjY17Vxk4MJ8MVbbqY81i+uAyt2hWQ1iryEE7Tdk A0p1tuVo4GjXvqiNEytAaL/8YkXKgRQWEZjWwymbyYnaaYzpdpR4BD/7zYROIsZE0d8b /NkLzxunrS26jwRslAaxOVUV7pEaYCNDvP6+SLgY31fQpUkheVFm+rbcVoFld/UTTRbQ OXww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=As8ETAWVZubBWoI2RZIiNEb93j2sf4q9iICzMLK5TLQ=; b=HIYIyGG3aCTHaG+A3NKQx56BAA3XETqRZOf3+6DT7T0cIOQtMTP12WNwSh5EPUXYlp ryi9q7yp7w9l0GzZWQrVI3w0QM731aMehvoOzYXw2E0AqwQvguo83UXjLtYN+EFc5HbU ihEvSWOtkLb4xCynnH1lSl9W01nSAaprnWUwX6y7740iQme1lEodl/l/02Np+bBxhPmY /VRXJZzEauKyXsLmHlET/Yz8BP5oJ6I0/ClNYMj2aO1wokh48oaa29qh//ylThHoeLtj OoU0EFJ0zoHR660YQ7kFRzN3bm8UygN+DeDCDLn7lglyVWFsfhqa7M6/Yq9l+gApLWQX 91CA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x17si5287328plr.435.2019.03.21.14.07.47; Thu, 21 Mar 2019 14:08:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727141AbfCUVGX (ORCPT + 99 others); Thu, 21 Mar 2019 17:06:23 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41140 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726440AbfCUVGX (ORCPT ); Thu, 21 Mar 2019 17:06:23 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B46F33092654; Thu, 21 Mar 2019 21:06:22 +0000 (UTC) Received: from sky.random (ovpn-120-118.rdu2.redhat.com [10.10.120.118]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 041685D6B3; Thu, 21 Mar 2019 21:06:18 +0000 (UTC) Date: Thu, 21 Mar 2019 17:06:17 -0400 From: Andrea Arcangeli To: Luis Chamberlain Cc: "Dr. David Alan Gilbert" , Andrew Morton , Peter Xu , linux-kernel@vger.kernel.org, Paolo Bonzini , Hugh Dickins , Maxime Coquelin , Maya Gokhale , Jerome Glisse , Pavel Emelyanov , Johannes Weiner , Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Mike Kravetz , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 1/1] userfaultfd/sysctl: add vm.unprivileged_userfaultfd Message-ID: <20190321210617.GB22094@redhat.com> References: <20190319030722.12441-1-peterx@redhat.com> <20190319030722.12441-2-peterx@redhat.com> <20190319110236.b6169d6b469a587a852c7e09@linux-foundation.org> <20190319182822.GK2727@work-vm> <20190320190112.GD23793@redhat.com> <20190321134335.GB1146@42.do-not-panic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190321134335.GB1146@42.do-not-panic.com> User-Agent: Mutt/1.11.4 (2019-03-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Thu, 21 Mar 2019 21:06:22 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Thu, Mar 21, 2019 at 01:43:35PM +0000, Luis Chamberlain wrote: > On Wed, Mar 20, 2019 at 03:01:12PM -0400, Andrea Arcangeli wrote: > > but > > that would be better be achieved through SECCOMP and not globally.'. > > That begs the question why not use seccomp for this? What if everyone > decided to add a knob for all syscalls to do the same? For the commit > log, why is it OK then to justify a knob for this syscall? That's a good point and it's obviously more secure because you can block a lot more than just bpf and userfaultfd: however not all syscalls have CONFIG_USERFAULTFD=n or CONFIG_BPF_SYSCALL=n that you can set to =n at build time, then they'll return -ENOSYS (implemented as sys_ni_syscall in the =n case). The point of the bpf (already included upstream) and userfaultfd (proposed) sysctl is to avoid users having to rebuild the kernel if they want to harden their setup without being forced to run all containers under seccomp, just like they could by setting those two config options "=n" at build time. So you can see it like allowing a runtime selection of CONFIG_USERFAULTFD and CONFIG_BPF_SYSCALL without the kernel build time config forcing the decision on behalf of the end user. Thanks, Andrea