Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2547594ybp; Sat, 12 Oct 2019 12:19:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqybQ9tdmM7zNCcflnXgXfW6hnr552FbRBnfjnzHnGx+IKjlV8ZTAmnWDSDwBroUSNyEjhm4 X-Received: by 2002:a17:906:5292:: with SMTP id c18mr20352088ejm.129.1570907961259; Sat, 12 Oct 2019 12:19:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570907961; cv=none; d=google.com; s=arc-20160816; b=beOh9fBn1CqiMU4X27P2biUxM7+tLkxIrJJd1XGQcQxeEBLHk8CIAPMZ9aMYwFhdIs Io47e9InL07M2iI1kimKVI2V11Liun54+W+A0D7GzVqnPQVc/909P3bRt8Dao6KY+9rP enz/M6ETenvPnYXMtXW/Lh/tDAlW9IFEmsKK9cPX/XFsHeqsOl3blTr54PubiNKqIz2J ZS8vKzaGUxv+WF/GI4Gn2e2eODw4rGlizIQumxDiadU9wA3npmkAFAs0zHnXPZZJc44W 6AxqfjVSQqgrtiO2DiHbFxC7SibmeL/aLas+kcbUmR0bI5Hop4zPQQ6XvCjVysGrGG8J 8OFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=rndXJobaj7s7XR7/GcIAJKh9KiC/uTxb0FRgsTRBuNU=; b=hkypIBBU+EI6BXRwhtAKclfZBAuzHtkc3PVNG73l8KdpPRy3F3mDEOxBUieIwgPCI/ UPlOjFber4ZPDbXz4DQl6DPrP/wJMhpdLZ6SCeidpof008gFog52VTexbBR7OcbFlNc1 cUNpq/B4oNot1WhpTc158LlINUheBfjxEUZnDMTxNj+XxQHUA9FJi3D0UfHfgl0PJbdW tZuN4RAGNaCygl10bxcNiSyS2G5paUHcC6+bd7NEQ8g7FWXerSnXjV50JXmM46jEAE6Q xMIR5V4Kd1AGMzWYiq7/QSV1jEbZPq04ZH/t6uET2YQ/MReA4DhCvmxLsQXYoCCIt985 LP0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UjzTDsp1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oz19si7878898ejb.93.2019.10.12.12.18.57; Sat, 12 Oct 2019 12:19:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UjzTDsp1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729741AbfJLTQ3 (ORCPT + 99 others); Sat, 12 Oct 2019 15:16:29 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:34228 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729711AbfJLTQY (ORCPT ); Sat, 12 Oct 2019 15:16:24 -0400 Received: by mail-pf1-f202.google.com with SMTP id a1so10252705pfn.1 for ; Sat, 12 Oct 2019 12:16:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=rndXJobaj7s7XR7/GcIAJKh9KiC/uTxb0FRgsTRBuNU=; b=UjzTDsp1v7Pubz24Y7XNFt2EfyIgRfB0QPsy4lwxZqSA25R8SP2JyFxFwcMc7sGNif uE92sAIwVTmLb6UoEij3KFtI4e5FKiWTVQHxM80R21s1nBH97wr3yQuTvaKnB0PRFXx4 YB0CiOoInpXL9ISsfQggztQmFFIsXkVPORagAXt9ecqmIiGDWQ54n+4AaX0+rfXPBGeo ohuC1nfuU21BsFaPI8JnTgx4US6JLUPklBiVQAQ7NbzYUlg0HPCbZkiUJ30TYIk7RCPA ni+1cdZgsW47/cygSgeFIvF7YEBfM0i7CiepmeQiqkTLRW7G0vNDkucOjP8XknuCld+9 hUoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=rndXJobaj7s7XR7/GcIAJKh9KiC/uTxb0FRgsTRBuNU=; b=tPglfSsKgEEpnzZ3kyR0pADmT1heIk8Lkm2CedP44xN/a57H0g5iAv4D7UUZdnyV84 6soQJAv+M/0IKmJq4jJ87nFvb6OGBsh0UpLkY9AOwMaSpjrSh1VH5pOybVIjXOXFQVrd mpnrogT4yWTbD2BuJ/zCulrR/xyk7V0FjF6pa28UQYx4hB39e4DjGSxCSDe7cKK0jH3n gT38WDCZBDjaOooiHwDNzBXcCeF7c11WR+Ov1IqWfUcFpWrDj8tZkQ7KS36xNciB/a35 9LXWft0PFWjT+1Y8kjaV71zq36fw4k1ftxqipmAOd4eeBUNCwDXhxM1Fa4TiMtgSrinF flqw== X-Gm-Message-State: APjAAAUFiTLMP5tCuw5hRELP8ZkLl58+1hou0Uk6sACQMUSbzxJD0S1O zt5cNvqW2nuQ1GjR5Ytl8NzU7FtZMXA= X-Received: by 2002:a63:e0d:: with SMTP id d13mr24069788pgl.439.1570907782899; Sat, 12 Oct 2019 12:16:22 -0700 (PDT) Date: Sat, 12 Oct 2019 12:16:01 -0700 In-Reply-To: <20191012191602.45649-1-dancol@google.com> Message-Id: <20191012191602.45649-7-dancol@google.com> Mime-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> X-Mailer: git-send-email 2.23.0.700.g56cf767bdb-goog Subject: [PATCH 6/7] Allow users to require UFFD_SECURE From: Daniel Colascione To: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, lokeshgidra@google.com, dancol@google.com, nnk@google.com Cc: nosh@google.com, timmurray@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This change adds 2 as an allowable value for unprivileged_userfaultfd. (Previously, this sysctl could be either 0 or 1.) When unprivileged_userfaultfd is 2, users with CAP_SYS_PTRACE may create userfaultfd with or without UFFD_SECURE, but users without CAP_SYS_PTRACE must pass UFFD_SECURE to userfaultfd in order for the system call to succeed, effectively forcing them to opt into additional security checks. Signed-off-by: Daniel Colascione --- Documentation/admin-guide/sysctl/vm.rst | 6 ++++-- fs/userfaultfd.c | 4 +++- kernel/sysctl.c | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst index 64aeee1009ca..6664eec7bd35 100644 --- a/Documentation/admin-guide/sysctl/vm.rst +++ b/Documentation/admin-guide/sysctl/vm.rst @@ -842,8 +842,10 @@ unprivileged_userfaultfd This flag controls whether unprivileged users can use the userfaultfd system calls. Set this to 1 to allow unprivileged users to use the -userfaultfd system calls, or set this to 0 to restrict userfaultfd to only -privileged users (with SYS_CAP_PTRACE capability). +userfaultfd system calls, or set this to 0 to restrict userfaultfd to +only privileged users (with SYS_CAP_PTRACE capability). If set to 2, +unprivileged (non-SYS_CAP_PTRACE) users may use userfaultfd only if +they pass the UFFD_SECURE, enabling MAC security checks. The default value is 1. diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 986d23b2cd33..aaed9347973e 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1963,8 +1963,10 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) struct userfaultfd_ctx *ctx; int fd; static const int uffd_flags = UFFD_SECURE | UFFD_USER_MODE_ONLY; + bool need_cap_check = sysctl_unprivileged_userfaultfd == 0 || + (sysctl_unprivileged_userfaultfd == 2 && !(flags & UFFD_SECURE)); - if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE)) + if (need_cap_check && !capable(CAP_SYS_PTRACE)) return -EPERM; BUG_ON(!current->mm); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 00fcea236eba..fc98d5df344e 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -1738,7 +1738,7 @@ static struct ctl_table vm_table[] = { .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, - .extra2 = SYSCTL_ONE, + .extra2 = &two, }, #endif { } -- 2.23.0.700.g56cf767bdb-goog