Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5390487ybv;
        Tue, 11 Feb 2020 14:57:31 -0800 (PST)
X-Google-Smtp-Source: APXvYqz1HVMgBjtiX3wq4E9FVNlUS4BgW1S4DVhZjGhk2hVcju+4ihqQxYcx0Bv45w8I+ohLqBag
X-Received: by 2002:a9d:4c81:: with SMTP id m1mr7004086otf.5.1581461851379;
        Tue, 11 Feb 2020 14:57:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581461851; cv=none;
        d=google.com; s=arc-20160816;
        b=BB9fdyIvgm4RcUZm1xhwLA2YOCOP0kn1I6u8L6qRXBFFkWF/JElLkyH4pb8Mu5Jm9b
         ve6i2YfZtPhs99lb1mZjAJ0e3iYMDBAJ8dYYz0RQtVioaF/2kFJwb5pt5XHy/lN7tlJG
         z32yCMHsVeJse8en5ZLfS7K4uHUH8m/NsV5iqhqqnf1hiYfFAX9m0wYkuYVovuQrt025
         hv+ABHGOdrrxq2sq5o2yB1m/oW9oUv7vP/wfxJiZ3WSv49eYDagtIYbweNWvlulFlsds
         l2BSA22t8bpNsLM2/+Y2W8/iDM45x/ZDkG8iByxV6gFZJDZxgYmUcSL/gIUA8D6Ni2JD
         c8Iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:from:subject:mime-version:message-id
         :date:dkim-signature;
        bh=z5hBZFlukE73X5tySesJV8jPEinxyOGgZx3qCpc+FhQ=;
        b=qjqXq1Ej5p6EH0Kv8EVhBflxkaD91pMVTDmtP8TC5qz42OPUYQjCoCCe1Qqhrhd0XG
         ne6Ghs8+j++hXnP8HLtTmehdqa5Z+cce35+hcdbQFWUZgla2qzRVmDkbCGCJDpRb7rIG
         OcZcodVEUQRaTW6mIhxmUlRi+BK1iPl5IHhunLMYMGBFvQMh93fvgZb2d0P8954Lw1Yb
         +H7hSW/4tSli4t3ySUjGtd6Or9OEWw4pWM49KV2Y5s5d0JGkl2w1DR948xbzw/DFC99H
         YOv/UZX3P/GYOUCeREZmfDKpgvLC5xWBYGuypCNJvIOAtQk/5tn4NCe+9GyUDqAYo2UF
         2szQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lRBeat1D;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 4si2142697oip.107.2020.02.11.14.57.18;
        Tue, 11 Feb 2020 14:57:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lRBeat1D;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727646AbgBKW4L (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Tue, 11 Feb 2020 17:56:11 -0500
Received: from mail-pf1-f202.google.com ([209.85.210.202]:46856 "EHLO
        mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727199AbgBKW4L (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Feb 2020 17:56:11 -0500
Received: by mail-pf1-f202.google.com with SMTP id c185so141691pfb.13
        for <linux-kernel@vger.kernel.org>; Tue, 11 Feb 2020 14:56:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to;
        bh=z5hBZFlukE73X5tySesJV8jPEinxyOGgZx3qCpc+FhQ=;
        b=lRBeat1DM/6m8wVzhtbw3NbGYuXI5jrNZCMDH2bkPtPkorENZSb/rNayT9WHqeuj4z
         XNiVPVGX2pusznQ1ujf8QR2xOyBI/+zE5DN9wxiuYLG6WE5+drIQepezj2KwFMRbrZXL
         9pht2m3MheSA4XZzOWTsaYLJbHT7vKjw/CecQE80mFpR3gYzIRcVZib11+kBT1jsexEe
         6NcsyOlB/MGz7sS46G6OcUah1YEZi0GWN+npoLpF03tNcuX0eDaTYVVCBNhYAe7EM1DI
         GODlU6IlhvIVeuAEmd/Ih1Nu8CS43QgX1CsO4cXY4B2rg23HINcAnFHVQYeurJwrhMJN
         F/Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to;
        bh=z5hBZFlukE73X5tySesJV8jPEinxyOGgZx3qCpc+FhQ=;
        b=mZ1gtIyIu+ZxpUpri439vBNaAUFtfNSta4UFP9dCDvpBT3Vt2Bux2+lUSwcg4KvrjB
         WPRT3nvHsqlpxe2e+9+am1XnJNIwJVFAApwaieI38U9xahKssYuz5nVa5cu2ksDcMlQS
         hc8hg0erJcf8U5Vp8C3OucXKhAhsPTpdVtWfZ17cOmdG/G0cSfRSnhWVBNjZFWMI9Qyj
         qDngcIZB/ZKiOi7SJBlAgCyD7jo7tjp57zdnaIJoR07l5SgndqMQa5wYM3MkUSGGcS+r
         QzgjJbm1pBADxb23WDBelJI97k+kCithtUNhCt59EoZbVqxPFzDq7jJFZQsYJOSNoEke
         hV7g==
X-Gm-Message-State: APjAAAVf4khZe08GqbTMEqrWZxfuOnXzWw62Dl2ooeFQD/Fl+geUTurQ
        h3NFLj3HM3wBMr1MVt6nekyadiMetl4=
X-Received: by 2002:a65:420b:: with SMTP id c11mr5419343pgq.306.1581461769152;
 Tue, 11 Feb 2020 14:56:09 -0800 (PST)
Date:   Tue, 11 Feb 2020 14:55:41 -0800
Message-Id: <20200211225547.235083-1-dancol@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.25.0.225.g125e21ebc7-goog
Subject: [PATCH v2 0/6] Harden userfaultfd
From:   Daniel Colascione <dancol@google.com>
To:     dancol@google.com, timmurray@google.com, nosh@google.com,
        nnk@google.com, lokeshgidra@google.com,
        linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
        selinux@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Userfaultfd in unprivileged contexts could be potentially very
useful. We'd like to harden userfaultfd to make such unprivileged use
less risky. This patch series allows SELinux to manage userfaultfd
file descriptors and allows administrators to limit userfaultfd to
servicing user-mode faults, increasing the difficulty of using
userfaultfd in exploit chains invoking delaying kernel faults.

A new anon_inodes interface allows callers to opt into SELinux
management of anonymous file objects. In this mode, anon_inodes
creates new ephemeral inodes for anonymous file objects instead of
reusing a singleton dummy inode. A new LSM hook gives security modules
an opportunity to configure and veto these ephemeral inodes.

Existing anon_inodes users must opt into the new functionality.

Daniel Colascione (6):
  Add a new flags-accepting interface for anonymous inodes
  Add a concept of a "secure" anonymous file
  Teach SELinux about a new userfaultfd class
  Wire UFFD up to SELinux
  Let userfaultfd opt out of handling kernel-mode faults
  Add a new sysctl for limiting userfaultfd to user mode faults

 Documentation/admin-guide/sysctl/vm.rst | 13 ++++
 fs/anon_inodes.c                        | 89 +++++++++++++++++--------
 fs/userfaultfd.c                        | 29 ++++++--
 include/linux/anon_inodes.h             | 27 ++++++--
 include/linux/lsm_hooks.h               |  8 +++
 include/linux/security.h                |  2 +
 include/linux/userfaultfd_k.h           |  3 +
 include/uapi/linux/userfaultfd.h        |  9 +++
 kernel/sysctl.c                         |  9 +++
 security/security.c                     |  8 +++
 security/selinux/hooks.c                | 68 +++++++++++++++++++
 security/selinux/include/classmap.h     |  2 +
 12 files changed, 229 insertions(+), 38 deletions(-)

-- 
2.25.0.225.g125e21ebc7-goog