| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190312122927.GF14108@xz-x1>
Date: Tue, 12 Mar 2019 20:29:27 +0800
From: Peter Xu <peterx@...hat.com>
To: Mike Rapoport <rppt@...ux.ibm.com>
Cc: linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
Hugh Dickins <hughd@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Maxime Coquelin <maxime.coquelin@...hat.com>,
kvm@...r.kernel.org, Jerome Glisse <jglisse@...hat.com>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Johannes Weiner <hannes@...xchg.org>,
Martin Cracauer <cracauer@...s.org>,
Denis Plotnikov <dplotnikov@...tuozzo.com>, linux-mm@...ck.org,
Marty McFadden <mcfadden8@...l.gov>,
Maya Gokhale <gokhale2@...l.gov>,
Mike Kravetz <mike.kravetz@...cle.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Kees Cook <keescook@...omium.org>,
Mel Gorman <mgorman@...e.de>,
"Kirill A . Shutemov" <kirill@...temov.name>,
linux-fsdevel@...r.kernel.org,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
On Tue, Mar 12, 2019 at 09:01:47AM +0200, Mike Rapoport wrote:
> Hi Peter,
>
> On Mon, Mar 11, 2019 at 05:36:58PM +0800, Peter Xu wrote:
> > Hi,
> >
> > (The idea comes from Andrea, and following discussions with Mike and
> > other people)
> >
> > This patchset introduces a new sysctl flag to allow the admin to
> > forbid users from using userfaultfd:
> >
> > $ cat /proc/sys/vm/unprivileged_userfaultfd
> > [disabled] enabled kvm
> >
> > - When set to "disabled", all unprivileged users are forbidden to
> > use userfaultfd syscalls.
> >
> > - When set to "enabled", all users are allowed to use userfaultfd
> > syscalls.
> >
> > - When set to "kvm", all unprivileged users are forbidden to use the
> > userfaultfd syscalls, except the user who has permission to open
> > /dev/kvm.
> >
> > This new flag can add one more layer of security to reduce the attack
> > surface of the kernel by abusing userfaultfd. Here we grant the
> > thread userfaultfd permission by checking against CAP_SYS_PTRACE
> > capability. By default, the value is "disabled" which is the most
> > strict policy. Distributions can have their own perferred value.
> >
> > The "kvm" entry is a bit special here only to make sure that existing
> > users like QEMU/KVM won't break by this newly introduced flag. What
> > we need to do is simply set the "unprivileged_userfaultfd" flag to
> > "kvm" here to automatically grant userfaultfd permission for processes
> > like QEMU/KVM without extra code to tweak these flags in the admin
> > code.
> >
> > Patch 1: The interface patch to introduce the flag
> >
> > Patch 2: The KVM related changes to detect opening of /dev/kvm
> >
> > Patch 3: Apply the flag to userfaultfd syscalls
>
> I'd appreciate to see "Patch 4: documentation update" ;-)
> It'd be also great to update the man pages after this is merged.
Oops, sorry! I should have remembered that.
>
> Except for the comment to patch 1, feel free to add
>
> Reviewed-by: Mike Rapoport <rppt@...ux.ibm.com>
Thanks Mike! I'll take it for 2/3 until I got confirmation from you
on patch 1.
Regards,
--
Peter Xu
Powered by blists - more mailing lists