Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp211353ybj; Fri, 8 May 2020 09:56:53 -0700 (PDT) X-Google-Smtp-Source: APiQypL5pF6NJMpG/SIp4SJnV/xJxidtUBqviSU4OM9OtFdW9a2TMRNmWyyMduHBz99dzKLeCHLn X-Received: by 2002:a17:906:dc02:: with SMTP id yy2mr2646712ejb.11.1588957013311; Fri, 08 May 2020 09:56:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588957013; cv=none; d=google.com; s=arc-20160816; b=cIwYfZPOGe17AQs/8Jyf1q0A3G7uuMzO2Fr7rqYu+FEIwJa6bEAkoHKCO37/dcJhbQ yPhVxu0a0MnDfDV9AFvB1pEpezWfA76zuMUt6euNaVxIA6AvAITkCsjPgJGPMO2G1UEI ouAm1qdsDhJlSXDzpWewEtruoSMV++AsxIlmIMicXL9cfrfA/aN0WKNywgdo0GF4zflP zCYJJaSu3jjemON6+XJJIY3sTvOTNvh29lJKep3xqzxR/LdQFHA/4l8a0jQyx0G2PxHg Z8xLoGis+GNRusBy8BBDbBKLspOZEL+aoZoYpdVwYw99RiSUKmuM6IG/lFE2eJTJy0L/ +N7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=fJh7eTRaE+f6+UgQ6oEEyfJPgzAOQ9oHC0u2sEu1qMQ=; b=Dlw/lfu2vk461MxaGvk2Yo/A4rqRMv4tWqHS71T0aRYUD7oucUiCtczcW30zg3TbO8 BTcjFe4gjHCuC2A3t4tQfT4R8SJTXR+/wyrpU5WZXieKBELH4zHB/LTRLdy+Drm4lnKS hVMHx22pWYwqbq22jwTWAvFp7Bf1PL9Npt0RYy5SMrK+EA8aOF9iKW++PcHSEpdmO0zC 2WiECZt+oPuN7n2FXRmH9AFg9yettyuMxcZfw488RNK05c2tHf/CMZnUZ5kJ2+2DZL0u q9Yvx5swTBZUViPzedDsLy7v7Ac1SOH3d2hx30Kli4y5C0E9amk0CKAQfYsETMB/0FXr Q49g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="NA/3MflE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v16si1292266eds.400.2020.05.08.09.56.29; Fri, 08 May 2020 09:56:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="NA/3MflE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726904AbgEHQwo (ORCPT + 99 others); Fri, 8 May 2020 12:52:44 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:51580 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726756AbgEHQwn (ORCPT ); Fri, 8 May 2020 12:52:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588956757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fJh7eTRaE+f6+UgQ6oEEyfJPgzAOQ9oHC0u2sEu1qMQ=; b=NA/3MflEzq9MzBmRp8S3eexurAHAdkd0lkCtU1gJFjZ5dyvBYtV1katad+1VU8mdHunFxf WYlE4Lxysy9WDDJvKg/I9Xb/PnkJ/XG09txjdcWcJsl5mW+CV+nCqtSSMDcmpkU7wHg5Y8 c0uoCl0313Zl9FlVhovwBTBH/TVb1wo= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-286-6AbALrqdMByxOOEBJII5zQ-1; Fri, 08 May 2020 12:52:35 -0400 X-MC-Unique: 6AbALrqdMByxOOEBJII5zQ-1 Received: by mail-wr1-f70.google.com with SMTP id z5so1148515wrt.17 for ; Fri, 08 May 2020 09:52:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=fJh7eTRaE+f6+UgQ6oEEyfJPgzAOQ9oHC0u2sEu1qMQ=; b=fEzHZnYOChH/oXUjTHxznumxT+SGEeSmtt1nJeR7iVnEHHRZuhICff63FiDzQjrToL nKR5deT/UVPLb33l4x/6C9UfZ4cp5afodEIAZ9aQ2jwvhhl2HLMmbAxa4mRPjRKgrVlm xitcG24SNvqiBRA33jwqE446isGOw4L2+g2pVWVY+XnqV79hVhC5IaIYblwHkADSXY9x Mc3tgJAsriRBF/j34zlGiNx2+6DIdxapxtMkrf9TsEvJeBeTgsOdToAaopDWAGpk6QjA 0r1A9a3HXwb6/Nn/mAAFYP9SUI4vqkymhhGmgcnSEfv31SjBsY/Mye3Hn7Yx2f3WM3nu qY1w== X-Gm-Message-State: AGi0PuYlNfpxSjH79hg5YSkBIcV8+lyB5JK6HJvhxJtkMNu3kURfu2E5 HwzDl4yc6FjZarWs77TNU/jplknUdkttdOOOgFQH7IOgHLj2V4qJnrRhcrzArMDlwn0m3gZyvlj 6++lGUQwNZmpU04JtP7wCK4eN X-Received: by 2002:adf:e9d0:: with SMTP id l16mr3763819wrn.69.1588956754391; Fri, 08 May 2020 09:52:34 -0700 (PDT) X-Received: by 2002:adf:e9d0:: with SMTP id l16mr3763791wrn.69.1588956754117; Fri, 08 May 2020 09:52:34 -0700 (PDT) Received: from redhat.com (bzq-79-179-68-225.red.bezeqint.net. [79.179.68.225]) by smtp.gmail.com with ESMTPSA id k17sm13777897wmi.10.2020.05.08.09.52.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2020 09:52:33 -0700 (PDT) Date: Fri, 8 May 2020 12:52:29 -0400 From: "Michael S. Tsirkin" To: Daniel Colascione Cc: Jonathan Corbet , Alexander Viro , Luis Chamberlain , Kees Cook , Iurii Zaikin , Mauro Carvalho Chehab , Andrew Morton , Andy Shevchenko , Vlastimil Babka , Mel Gorman , Sebastian Andrzej Siewior , Peter Xu , Andrea Arcangeli , Mike Rapoport , Jerome Glisse , Shaohua Li , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, timmurray@google.com, minchan@google.com, sspatil@google.com, lokeshgidra@google.com Subject: Re: [PATCH 2/2] Add a new sysctl knob: unprivileged_userfaultfd_user_mode_only Message-ID: <20200508125054-mutt-send-email-mst@kernel.org> References: <20200423002632.224776-1-dancol@google.com> <20200423002632.224776-3-dancol@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200423002632.224776-3-dancol@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 22, 2020 at 05:26:32PM -0700, Daniel Colascione wrote: > This sysctl can be set to either zero or one. When zero (the default) > the system lets all users call userfaultfd with or without > UFFD_USER_MODE_ONLY, modulo other access controls. When > unprivileged_userfaultfd_user_mode_only is set to one, users without > CAP_SYS_PTRACE must pass UFFD_USER_MODE_ONLY to userfaultfd or the API > will fail with EPERM. This facility allows administrators to reduce > the likelihood that an attacker with access to userfaultfd can delay > faulting kernel code to widen timing windows for other exploits. > > Signed-off-by: Daniel Colascione The approach taken looks like a hard-coded security policy. For example, it won't be possible to set the sysctl knob in question on any sytem running kvm. So this is no good for any general purpose system. What's wrong with using a security policy for this instead? > --- > Documentation/admin-guide/sysctl/vm.rst | 13 +++++++++++++ > fs/userfaultfd.c | 11 ++++++++++- > include/linux/userfaultfd_k.h | 1 + > kernel/sysctl.c | 9 +++++++++ > 4 files changed, 33 insertions(+), 1 deletion(-) > > diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst > index 0329a4d3fa9e..4296b508ab74 100644 > --- a/Documentation/admin-guide/sysctl/vm.rst > +++ b/Documentation/admin-guide/sysctl/vm.rst > @@ -850,6 +850,19 @@ privileged users (with SYS_CAP_PTRACE capability). > > The default value is 1. > > +unprivileged_userfaultfd_user_mode_only > +======================================== > + > +This flag controls whether unprivileged users can use the userfaultfd > +system calls to handle page faults in kernel mode. If set to zero, > +userfaultfd works with or without UFFD_USER_MODE_ONLY, modulo > +unprivileged_userfaultfd above. If set to one, users without > +SYS_CAP_PTRACE must pass UFFD_USER_MODE_ONLY in order for userfaultfd > +to succeed. Prohibiting use of userfaultfd for handling faults from > +kernel mode may make certain vulnerabilities more difficult > +to exploit. > + > +The default value is 0. > > user_reserve_kbytes > =================== > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 21378abe8f7b..85cc1ab74361 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -29,6 +29,7 @@ > #include > > int sysctl_unprivileged_userfaultfd __read_mostly = 1; > +int sysctl_unprivileged_userfaultfd_user_mode_only __read_mostly = 0; > > static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; > > @@ -2009,8 +2010,16 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > static const int uffd_flags = UFFD_USER_MODE_ONLY; > struct userfaultfd_ctx *ctx; > int fd; > + bool need_cap_check = false; > > - if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE)) > + if (!sysctl_unprivileged_userfaultfd) > + need_cap_check = true; > + > + if (sysctl_unprivileged_userfaultfd_user_mode_only && > + (flags & UFFD_USER_MODE_ONLY) == 0) > + need_cap_check = true; > + > + if (need_cap_check && !capable(CAP_SYS_PTRACE)) > return -EPERM; > > BUG_ON(!current->mm); > diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h > index a8e5f3ea9bb2..d81e30074bf5 100644 > --- a/include/linux/userfaultfd_k.h > +++ b/include/linux/userfaultfd_k.h > @@ -31,6 +31,7 @@ > #define UFFD_FLAGS_SET (EFD_SHARED_FCNTL_FLAGS) > > extern int sysctl_unprivileged_userfaultfd; > +extern int sysctl_unprivileged_userfaultfd_user_mode_only; > > extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason); > > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index 8a176d8727a3..9cbdf4483961 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -1719,6 +1719,15 @@ static struct ctl_table vm_table[] = { > .extra1 = SYSCTL_ZERO, > .extra2 = SYSCTL_ONE, > }, > + { > + .procname = "unprivileged_userfaultfd_user_mode_only", > + .data = &sysctl_unprivileged_userfaultfd_user_mode_only, > + .maxlen = sizeof(sysctl_unprivileged_userfaultfd_user_mode_only), > + .mode = 0644, > + .proc_handler = proc_dointvec_minmax, > + .extra1 = SYSCTL_ZERO, > + .extra2 = SYSCTL_ONE, > + }, > #endif > { } > }; > -- > 2.26.2.303.gf8c07b1a785-goog >