| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190312070147.GC9497@rapoport-lnx>
Date: Tue, 12 Mar 2019 09:01:47 +0200
From: Mike Rapoport <rppt@...ux.ibm.com>
To: Peter Xu <peterx@...hat.com>
Cc: linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
Hugh Dickins <hughd@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Maxime Coquelin <maxime.coquelin@...hat.com>,
kvm@...r.kernel.org, Jerome Glisse <jglisse@...hat.com>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Johannes Weiner <hannes@...xchg.org>,
Martin Cracauer <cracauer@...s.org>,
Denis Plotnikov <dplotnikov@...tuozzo.com>, linux-mm@...ck.org,
Marty McFadden <mcfadden8@...l.gov>,
Maya Gokhale <gokhale2@...l.gov>,
Mike Kravetz <mike.kravetz@...cle.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Kees Cook <keescook@...omium.org>,
Mel Gorman <mgorman@...e.de>,
"Kirill A . Shutemov" <kirill@...temov.name>,
linux-fsdevel@...r.kernel.org,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
Hi Peter,
On Mon, Mar 11, 2019 at 05:36:58PM +0800, Peter Xu wrote:
> Hi,
>
> (The idea comes from Andrea, and following discussions with Mike and
> other people)
>
> This patchset introduces a new sysctl flag to allow the admin to
> forbid users from using userfaultfd:
>
> $ cat /proc/sys/vm/unprivileged_userfaultfd
> [disabled] enabled kvm
>
> - When set to "disabled", all unprivileged users are forbidden to
> use userfaultfd syscalls.
>
> - When set to "enabled", all users are allowed to use userfaultfd
> syscalls.
>
> - When set to "kvm", all unprivileged users are forbidden to use the
> userfaultfd syscalls, except the user who has permission to open
> /dev/kvm.
>
> This new flag can add one more layer of security to reduce the attack
> surface of the kernel by abusing userfaultfd. Here we grant the
> thread userfaultfd permission by checking against CAP_SYS_PTRACE
> capability. By default, the value is "disabled" which is the most
> strict policy. Distributions can have their own perferred value.
>
> The "kvm" entry is a bit special here only to make sure that existing
> users like QEMU/KVM won't break by this newly introduced flag. What
> we need to do is simply set the "unprivileged_userfaultfd" flag to
> "kvm" here to automatically grant userfaultfd permission for processes
> like QEMU/KVM without extra code to tweak these flags in the admin
> code.
>
> Patch 1: The interface patch to introduce the flag
>
> Patch 2: The KVM related changes to detect opening of /dev/kvm
>
> Patch 3: Apply the flag to userfaultfd syscalls
I'd appreciate to see "Patch 4: documentation update" ;-)
It'd be also great to update the man pages after this is merged.
Except for the comment to patch 1, feel free to add
Reviewed-by: Mike Rapoport <rppt@...ux.ibm.com>
> All comments would be greatly welcomed. Thanks,
>
> Peter Xu (3):
> userfaultfd/sysctl: introduce unprivileged_userfaultfd
> kvm/mm: introduce MMF_USERFAULTFD_ALLOW flag
> userfaultfd: apply unprivileged_userfaultfd check
>
> fs/userfaultfd.c | 121 +++++++++++++++++++++++++++++++++
> include/linux/sched/coredump.h | 1 +
> include/linux/userfaultfd_k.h | 5 ++
> init/Kconfig | 11 +++
> kernel/sysctl.c | 11 +++
> virt/kvm/kvm_main.c | 7 ++
> 6 files changed, 156 insertions(+)
>
> --
> 2.17.1
>
--
Sincerely yours,
Mike.
Powered by blists - more mailing lists