Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2548663ybp;
        Sat, 12 Oct 2019 12:20:37 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxBydWIp2G3tm8ONpUEeP+moVJHSOrjM74JxmWzAZ+4TTmMwe7AE71pXe5go3DMQ0hTa6t8
X-Received: by 2002:a17:906:5c0a:: with SMTP id e10mr20375876ejq.285.1570908037027;
        Sat, 12 Oct 2019 12:20:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570908037; cv=none;
        d=google.com; s=arc-20160816;
        b=mqA97vfWsURCKU4RnEomJCW46PyknBU5wSlODe0xzu1aXCPkUUipxH3iFd+iVbQQeV
         GClfDLHiihYAv3bFTObsn+tybpzqwGSc89U7+nBANskNLXeART3xH3pmNnGBIyrGo3oU
         iuw2SJ6tRpvqo5X4703ryDB2DfNxm1o0A813C8GKKwQchS8LiaIoPtQRyx/S1CXEFcI+
         abKAkaBXb2fmLnH2fFuONGGNlh9WYwyL3/bkeMmP6ZjC6r8+B29TLN7Be/y8Cyk5PypP
         ldEDEbfA/y8Zs1thaDyymwS7oOmh11twU4pDfIh9Zpu5sOVEnsI0gat9R9HicV2C3/y5
         mVBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=JzOfukPeifzyE+Hzh6AM1ECnC48wv32Xd/UndNRDiTo=;
        b=BI+Yr8PENbi7395iCNMV2m68kx27rjj0zEZUTmPYgxcvLSUOvM7jRqZlv/7dz5uQU/
         W6eqA10c78EKM6Aq0XrquiXWxoekmJxM9zV+ePanCivR2GEnZIZGNCIgUm9ELoc+g0Kn
         5FEcPkTSyFhhXvpwoYGemuPeCnwm8AkQgo/911fji6vz4mH8lFLr3QhYueao837NyyJy
         B0dFrxcfv9zMROxlvNgmwz+rErnks6Av63oVS9tXOditWObV0SgVecG1n/n1NHvJz3a/
         0qQLjZNjARl5dChZzMsY54pBelq0l6RTBS3ubV7NTBvhCPLoPFlt16JTxpQ1wyLILTVO
         ksEw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=kDQcXQa0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f29si7982058ejj.110.2019.10.12.12.20.13;
        Sat, 12 Oct 2019 12:20:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=kDQcXQa0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729754AbfJLTQa (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Sat, 12 Oct 2019 15:16:30 -0400
Received: from mail-pg1-f202.google.com ([209.85.215.202]:55874 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729731AbfJLTQ1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Oct 2019 15:16:27 -0400
Received: by mail-pg1-f202.google.com with SMTP id k18so9461401pgh.22
        for <linux-kernel@vger.kernel.org>; Sat, 12 Oct 2019 12:16:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=JzOfukPeifzyE+Hzh6AM1ECnC48wv32Xd/UndNRDiTo=;
        b=kDQcXQa0VYmk2lf9nJ7jqZxWRDVdkQVg+UBXlTJRuKtd7I68txAG3zAAgGzWHZffIz
         ACbU48iFgUzzey52gZXZhwXb/RlhFw/BAkjTItM87AJ6j0JppA2oWS/FARYCx8qDlkcS
         C6MPV7I/5wSKFvYULa1jc8EpbWv4WQqH4r2xf84JPOREQyzXwh9pd5BY2PzMQsdzULzf
         Na3ZxHH93Li1yqBwI9w1X881rwDx1lxUmC/T76qqIFsCPHyxai4EgzSUeQ5uvT8BkZjx
         MtlrBaaEFRezoYk0J6qwwXL0aicSKjGgU8B/V9/ZbeQpeV42NsFzOkQl/bKFzOD5Rxfl
         Eoyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=JzOfukPeifzyE+Hzh6AM1ECnC48wv32Xd/UndNRDiTo=;
        b=ZnQBaLpj4CXJ2ETrwvSjJzpAAjifxKdg3qHSCJldaFeTecgP7K9xP69meNZia2uL+F
         hgk5zEIM2obDIM58rY5Nn+Z6oVDGmWQo4LCeOotNtJ/KY5tpeDYPySRB1ELf3kBubreF
         oiHxeSrNEAYo3YgqZcAm2DCjEjmdQBus2j7IhCyko1Y9Bzt114Otm+JhUHblwZy19lkb
         sNxqrsbg9ZMenYcaTbgaKsjcycNEy9yZcwgwTT68AmTDp8U2Lb9W2qSqv4IpTVhNdUQ0
         SVlSR+WM7mj6G1IcH96FWFphV/2URB87/NIg+EQGAEd3SPq1x3UI3jV1PXvF5fcmPH4C
         gOQg==
X-Gm-Message-State: APjAAAUfmfXDDYavU3+4O6LgzcTSr/qR4yszSIWvK0HTXan6FktTC2oS
        Hbc7+KLmCyH+om15Vd7hXJ8yJTWHkvo=
X-Received: by 2002:a65:498c:: with SMTP id r12mr24547774pgs.280.1570907784749;
 Sat, 12 Oct 2019 12:16:24 -0700 (PDT)
Date:   Sat, 12 Oct 2019 12:16:02 -0700
In-Reply-To: <20191012191602.45649-1-dancol@google.com>
Message-Id: <20191012191602.45649-8-dancol@google.com>
Mime-Version: 1.0
References: <20191012191602.45649-1-dancol@google.com>
X-Mailer: git-send-email 2.23.0.700.g56cf767bdb-goog
Subject: [PATCH 7/7] Add a new sysctl for limiting userfaultfd to user mode faults
From:   Daniel Colascione <dancol@google.com>
To:     linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
        lokeshgidra@google.com, dancol@google.com, nnk@google.com
Cc:     nosh@google.com, timmurray@google.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Add a new sysctl knob unprivileged_userfaultfd_user_mode_only.
This sysctl can be set to either zero or one. When zero (the default)
the system lets all users call userfaultfd with or without
UFFD_USER_MODE_ONLY, modulo other access controls. When
unprivileged_userfaultfd_user_mode_only is set to one, users without
CAP_SYS_PTRACE must pass UFFD_USER_MODE_ONLY to userfaultfd or the API
will fail with EPERM. This facility allows administrators to reduce
the likelihood that an attacker with access to userfaultfd can delay
faulting kernel code to widen timing windows for other exploits.

Signed-off-by: Daniel Colascione <dancol@google.com>
---
 Documentation/admin-guide/sysctl/vm.rst | 13 +++++++++++++
 fs/userfaultfd.c                        | 12 ++++++++++--
 include/linux/userfaultfd_k.h           |  1 +
 kernel/sysctl.c                         |  9 +++++++++
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
index 6664eec7bd35..330fd82b3f4e 100644
--- a/Documentation/admin-guide/sysctl/vm.rst
+++ b/Documentation/admin-guide/sysctl/vm.rst
@@ -849,6 +849,19 @@ they pass the UFFD_SECURE, enabling MAC security checks.
 
 The default value is 1.
 
+unprivileged_userfaultfd_user_mode_only
+========================================
+
+This flag controls whether unprivileged users can use the userfaultfd
+system calls to handle page faults in kernel mode.  If set to zero,
+userfaultfd works with or without UFFD_USER_MODE_ONLY, modulo
+unprivileged_userfaultfd above.  If set to one, users without
+SYS_CAP_PTRACE must pass UFFD_USER_MODE_ONLY in order for userfaultfd
+to succeed.  Prohibiting use of userfaultfd for handling faults from
+kernel mode may make certain vulnerabilities more difficult
+to exploit.
+
+The default value is 0.
 
 user_reserve_kbytes
 ===================
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index aaed9347973e..02addd425ab7 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -29,6 +29,7 @@
 #include <linux/hugetlb.h>
 
 int sysctl_unprivileged_userfaultfd __read_mostly = 1;
+int sysctl_unprivileged_userfaultfd_user_mode_only __read_mostly = 0;
 
 static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly;
 
@@ -1963,8 +1964,15 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
 	struct userfaultfd_ctx *ctx;
 	int fd;
 	static const int uffd_flags = UFFD_SECURE | UFFD_USER_MODE_ONLY;
-	bool need_cap_check = sysctl_unprivileged_userfaultfd == 0 ||
-		(sysctl_unprivileged_userfaultfd == 2 && !(flags & UFFD_SECURE));
+	bool need_cap_check = false;
+
+	if (sysctl_unprivileged_userfaultfd == 0 ||
+	    (sysctl_unprivileged_userfaultfd == 2 && !(flags & UFFD_SECURE)))
+		need_cap_check = true;
+
+	if (sysctl_unprivileged_userfaultfd_user_mode_only &&
+	    (flags & UFFD_USER_MODE_ONLY) == 0)
+		need_cap_check = true;
 
 	if (need_cap_check && !capable(CAP_SYS_PTRACE))
 		return -EPERM;
diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
index 549c8b0cca52..efe14abb2dc8 100644
--- a/include/linux/userfaultfd_k.h
+++ b/include/linux/userfaultfd_k.h
@@ -29,6 +29,7 @@
 #define UFFD_FLAGS_SET (EFD_SHARED_FCNTL_FLAGS)
 
 extern int sysctl_unprivileged_userfaultfd;
+extern int sysctl_unprivileged_userfaultfd_user_mode_only;
 
 extern const struct file_operations userfaultfd_fops;
 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index fc98d5df344e..4f296676c0ac 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1740,6 +1740,15 @@ static struct ctl_table vm_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= &two,
 	},
+	{
+		.procname	= "unprivileged_userfaultfd_user_mode_only",
+		.data		= &sysctl_unprivileged_userfaultfd_user_mode_only,
+		.maxlen		= sizeof(sysctl_unprivileged_userfaultfd_user_mode_only),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 #endif
 	{ }
 };
-- 
2.23.0.700.g56cf767bdb-goog