Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2546061ybp;
        Sat, 12 Oct 2019 12:17:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxc73JxbMbqehW3hjeMYZeTxZ3zBhKyIIv7Tz63RXnN7hA5Sv1h04DG9O6XKkAtWE0R3GsW
X-Received: by 2002:a17:906:8317:: with SMTP id j23mr20102159ejx.314.1570907845394;
        Sat, 12 Oct 2019 12:17:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570907845; cv=none;
        d=google.com; s=arc-20160816;
        b=XB8HIcJvRAT+w8yNIPegROqKQgcxh8ok/XutfaZcLKB3zcLgl0DCvm5a1hW4EYxt/u
         qDxjIcbG0/QHIYFz6J6M+uGGLL6L1bxfnpYXU6R6rdLwuO6C6qJAvwbHQKNWJdPaYM31
         s/0tG4g7mQCwW6fAQrl8DRbsOrI9QNQEra3c5d1CsIIVnXS7JKU+cbHg+nliSqkfbp//
         wrOLFKId5YMYm6Z8z8IVsj/vSWKqDmXz0Br9IwfNBbpqyMIRIqTCkXp1jxRQt3FampeV
         Zd1EF4BvuZo54VL7jEWLLv3iOla9YQPXhhuAAKjrO8YxvgPz2yu2MSGjttDoef5iUaB6
         R4wQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature;
        bh=cgGZvwJnEGZisI4Gx+FEE0RSIkczOwq/CnutrrsIPDg=;
        b=nr07P2Uw1Kav8/Lxx+kEkzkX6gGrYeFFBbO6fXgoxISSq3Gh7X/P6eixnrDnV3/Z4s
         xFxf6ml/H6O06tHn5/Gvtysgcz49E7cYfA37hIdu9HVoAMap16T5GesMAkYSH5QBI8CH
         +qb1hcczvZx9ZcJcQClCja3o+RdQJgHHm8BGJ0ebZbX/qbmGAicAUsc6pFcfYh9nM9Ks
         yo6UtkESmxtpbcl+3xi1CRDpU1knMcoHObK86G4748ECTd7Ykw7F3DngiMJAQiMlppGT
         XLvNRyL4QHbmpL4kI//ImcapocT27cnuw87olJvTFQ4krRmqAqdk5ugc+rJdJ7Q5NTgg
         WpPA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=hY5Ioaet;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j4si7842507ejv.67.2019.10.12.12.16.35;
        Sat, 12 Oct 2019 12:17:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=hY5Ioaet;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729619AbfJLTQM (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Sat, 12 Oct 2019 15:16:12 -0400
Received: from mail-vs1-f74.google.com ([209.85.217.74]:45131 "EHLO
        mail-vs1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729601AbfJLTQM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Oct 2019 15:16:12 -0400
Received: by mail-vs1-f74.google.com with SMTP id v23so1476333vsc.12
        for <linux-kernel@vger.kernel.org>; Sat, 12 Oct 2019 12:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=cgGZvwJnEGZisI4Gx+FEE0RSIkczOwq/CnutrrsIPDg=;
        b=hY5IoaetYla5K4CZDUJpZfqMB6tRT69RksToZe2ITHKt/cs8UmADkqTQoSBtcjeu1X
         YjZa4cdGK7/lcQMgB+dwIHcDpii68wltQCkm1GHVA+l7koQ0HEnCkeQJDP5IiKUzqh4q
         gF68dv50l1radXHZ1RYp/XJ59VBdure8blXWxxCico6NvisHkGupjXsp3mL9f+xUhSiz
         Cg+lNORj8vEhDRJ1EdztXASNmJCL79Y5bDd0uNpi3gMm3mYuy2vFdkEpXGDed+W5YoVI
         p3wTX1AMC6r9lPoKLPZC4dqM1LWspSSf+43Ec/LnWiJeC9xfFHNkxpVkYghRtGqiIS0G
         uu1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=cgGZvwJnEGZisI4Gx+FEE0RSIkczOwq/CnutrrsIPDg=;
        b=tgzThkiFSZNKrZKDSYrSM2eViiPH5uvNB8AJ8bDqLbIEt3J8aeU8ad/PSPC7uUnWiZ
         AD3Eu2XxsLObYcKEwRFs7LAwMhKj5uhMFajtHmdzheF0SpSrCV+caZwD5zKWg6IHir1k
         PsITKTWz2sj7ljz5Uh4HkNeDU8mga74mBwsa1GbH25XmNwUZJT+fZk+rtevhjU6DsH27
         c4VQ/dXFuT7KADDI+3s8WNczMcbnau3ZBLeD8n6tCo5Sz9lYnaZ3D5NiH99KXCuqpxV8
         izuSdwutUC93U3pRabVaQwdPAddyib1ax1J1PepDmsBT0oRi3vLIQHlPFMjT6GCU6SPL
         ubfA==
X-Gm-Message-State: APjAAAXwvCg3NUj2lrdtjBNN5s29Yle8FMdWWVh6ybfMeefSQq7rUEMp
        TmKznUAseFOsgizQmSHVscUnkLyUkEM=
X-Received: by 2002:a67:ad0c:: with SMTP id t12mr12732593vsl.82.1570907771122;
 Sat, 12 Oct 2019 12:16:11 -0700 (PDT)
Date:   Sat, 12 Oct 2019 12:15:55 -0700
Message-Id: <20191012191602.45649-1-dancol@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.23.0.700.g56cf767bdb-goog
Subject: [PATCH 0/7] Harden userfaultfd
From:   Daniel Colascione <dancol@google.com>
To:     linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
        lokeshgidra@google.com, dancol@google.com, nnk@google.com
Cc:     nosh@google.com, timmurray@google.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Userfaultfd in unprivileged contexts could be potentially very
useful. We'd like to harden userfaultfd to make such unprivileged use
less risky. This patch series allows SELinux to manage userfaultfd
file descriptors (via a new flag, for compatibility with existing
code) and allows administrators to limit userfaultfd to servicing
user-mode faults, increasing the difficulty of using userfaultfd in
exploit chains invoking delaying kernel faults.

A new anon_inodes interface allows callers to opt into SELinux
management of anonymous file objects. In this mode, anon_inodes
creates new ephemeral inodes for anonymous file objects instead of
reusing a singleton dummy inode. A new LSM hook gives security modules
an opportunity to configure and veto these ephemeral inodes.

Existing anon_inodes users must opt into the new functionality.

Daniel Colascione (7):
  Add a new flags-accepting interface for anonymous inodes
  Add a concept of a "secure" anonymous file
  Add a UFFD_SECURE flag to the userfaultfd API.
  Teach SELinux about a new userfaultfd class
  Let userfaultfd opt out of handling kernel-mode faults
  Allow users to require UFFD_SECURE
  Add a new sysctl for limiting userfaultfd to user mode faults

 Documentation/admin-guide/sysctl/vm.rst | 19 +++++-
 fs/anon_inodes.c                        | 89 +++++++++++++++++--------
 fs/userfaultfd.c                        | 47 +++++++++++--
 include/linux/anon_inodes.h             | 27 ++++++--
 include/linux/lsm_hooks.h               |  8 +++
 include/linux/security.h                |  2 +
 include/linux/userfaultfd_k.h           |  3 +
 include/uapi/linux/userfaultfd.h        | 14 ++++
 kernel/sysctl.c                         |  9 +++
 security/security.c                     |  8 +++
 security/selinux/hooks.c                | 68 +++++++++++++++++++
 security/selinux/include/classmap.h     |  2 +
 12 files changed, 256 insertions(+), 40 deletions(-)

-- 
2.23.0.700.g56cf767bdb-goog