Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1795706iog; Tue, 14 Jun 2022 13:38:53 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uGFLc/apb5PtdDHYeEMVc0L1cg+WyqOnYUbixaaZAIRvvZ8QDCVdGDJdNz3lfJbu/XRiRl X-Received: by 2002:a17:90b:2310:b0:1e8:8379:6098 with SMTP id mt16-20020a17090b231000b001e883796098mr6294188pjb.112.1655239133536; Tue, 14 Jun 2022 13:38:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655239133; cv=none; d=google.com; s=arc-20160816; b=SdQ9L8saj7n5I0ocS//69ovh2t98SM0lstw0BISD/v7ItdT4etlrNGh1Oskq3QZ+E5 NJOZS7lSYJmHQ4b4lXVGCLR/D4kIQw+9Stg66AT6UMaqV6sN1y9qg6TBZu1oqtxA5VAg 5PhA1El93+FpySI/ZvwDnOkQVG/4acTVxDneFn3npEZ6/YKL1kal54VhtTRqselMRWHE GdiMghgB2MMSGcI6X7VRMnvuEfdmo8ldahh8ebY4rCUVlF+04wkZ8rJfABeNufIDvu8H pk+KDSPpD4ru76FuEf8YxQMplLFK9BcLKJRw6Bk0zeE6KZCzNUfDK3+G56wahED7w+Wz kQQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=; b=COSzdJQcRKT0jzXk4B71/GVZiV2sZsTfc9vOXmLvRc7p8MLj3GxI+8tBhyvgY/hQSX 9nrbjpw2k61UqSenMVr5a+xwxB96odhSEc0S9oSZw62vBbG8a35gEVI0+D7ykjnaXSR6 8oedGnZjNcHVNYJaJe/6/d7xOAEEYnNGHxVpKCC0B/r58wpjif/P9BZt2gfSg71k8MMG 2DGSDFbIHJI3gTsPY399zWajX4jUWODuI9pn38j+0sJQJLF7nhKv9V62HLIzsCghqnY8 vjDj+jO4M4/U8LLHlnDAVRHWn2l1AEwibK/bIHcpOxv7zKQpHTgjugM1WuThx3AGD9PQ gw/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=gRVRxHZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ng16-20020a17090b1a9000b001ea4b95ba98si22397pjb.103.2022.06.14.13.38.40; Tue, 14 Jun 2022 13:38:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=gRVRxHZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357412AbiFNUYj (ORCPT + 99 others); Tue, 14 Jun 2022 16:24:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357273AbiFNUYb (ORCPT ); Tue, 14 Jun 2022 16:24:31 -0400 Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C7F442EDB for ; Tue, 14 Jun 2022 13:24:29 -0700 (PDT) Received: by mail-io1-xd34.google.com with SMTP id b138so3789732iof.13 for ; Tue, 14 Jun 2022 13:24:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=; b=gRVRxHZMe7GB0CMT7h68KGoW9wprnOjEoeTrdTux4jLVQBc6iVdCNm+kcl5WQF+Cz2 JtExKCFNoo4EFeNNqD1eSojr64JLEV1BfzRV+EQZHSvC5LBywUXaf7kQiiOO235C86X4 hNYJtch2R0PBiluBbXbdWKTzekpDDqXVBeRFj5DN1+VkM13YIRCzp3WG7Km0S+mA0uLj vrnR7unp0020iNc1qX1iTREpmwCXBKBpqjTpoKG3ANGjME/Yv9bcclsdEN26n4G6qFA3 ac8RReknpeEI4OpUlVPxbdvgkyf0lalZQJIWbI5ZeHntnojVYz6B+Tiiecxqlao2LfIH 17Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=; b=cguXN+tjxlsp7e8Rl4pgeO7kvm1/7gX8TPUqVA7dt3gFN8/MEV6BlCsVPuYJBWNbiO bkzUppOO3IK8CSwQZruYPNvacErq29mTQ1N/JMElVHNIBOeJgFNMCdy5ei28pDFzNo2h m9w4zRFY+QY70K57GGzMN8aTnUnpqx+MyGCmrz81CIELC6rKtos8/F18YnJ6ke/kpjI3 sBas+8/BZ4kziZ4z2k7jxFhORoUIA0pVCo48xWEfNCADpRR9Saj+d5+qTy2G0P4N54BE rN+8FTr8GtHnxq/Vk+hMNy0Q5e+AeITCzg9z3R8eta7j6I/mh9ClP2pMymjrQn68Y9+U 64pg== X-Gm-Message-State: AOAM5318iycdNuHLmbIi/dt4NQk/KZ8nZsQx/hWYBRfTU7EOhFYlwKQc arUQ/eL0qPmExvkSe0emr57mLRO5DUBXV+fShG7mQg== X-Received: by 2002:a6b:3e42:0:b0:669:ae49:589 with SMTP id l63-20020a6b3e42000000b00669ae490589mr3353488ioa.138.1655238268174; Tue, 14 Jun 2022 13:24:28 -0700 (PDT) MIME-Version: 1.0 References: <20220601210951.3916598-1-axelrasmussen@google.com> <20220601210951.3916598-3-axelrasmussen@google.com> <20220613145540.1c9f7750092911bae1332b92@linux-foundation.org> <87k09kxi59.fsf@meer.lwn.net> In-Reply-To: <87k09kxi59.fsf@meer.lwn.net> From: Axel Rasmussen Date: Tue, 14 Jun 2022 13:23:52 -0700 Message-ID: Subject: Re: [PATCH v3 2/6] userfaultfd: add /dev/userfaultfd for fine grained access control To: Jonathan Corbet Cc: Peter Xu , Andrew Morton , Alexander Viro , Charan Teja Reddy , Dave Hansen , "Dmitry V . Levin" , Gleb Fotengauer-Malinovskiy , Hugh Dickins , Jan Kara , Mel Gorman , Mike Kravetz , Mike Rapoport , Nadav Amit , Shuah Khan , Suren Baghdasaryan , Vlastimil Babka , zhangyi , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, LKML , Linux MM , Linuxkselftest Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 13, 2022 at 4:23 PM Jonathan Corbet wrote: > > Axel Rasmussen writes: > > > I think for any approach involving syscalls, we need to be able to > > control access to who can call a syscall. Maybe there's another way > > I'm not aware of, but I think today the only mechanism to do this is > > capabilities. I proposed adding a CAP_USERFAULTFD for this purpose, > > but that approach was rejected [1]. So, I'm not sure of another way > > besides using a device node. > > I take it there's a reason why this can't be done with a security module > - either a custom module or a policy in one of the existing modules? > That sort of access control is just what security modules are supposed > to be for, after all. > > Thanks, > > jon Admittedly I haven't tried proposing a patch, but I suspect there would be pushback against adding an entirely new LSM just for this case, similarly to the reasons the CAP_USERFAULTFD approach was rejected. For existing LSMs, I think SELinux can be used to restrict access to syscalls. But then again, it's fairly heavy weight / difficult to configure, and I suspect migrating production servers which don't use it today would be a nontrivial undertaking. At least to me it seems unfortunate to say, there isn't an obvious "safe" way to use userfaultfd, without enabling + configuring selinux. (That assumes by "safe" we mean, without granting wider-than necessary access to userfaultfd, or without granting uffd-using processes more permissions [root or CAP_SYS_PTRACE] to do their job.) I suspect if we do that then in practice many? most? users will just either run UFFD programs as root, or toggle the sysctl to allow unprivileged UFFD usage.