[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a112a896-0629-d967-ab08-8d25970f9a9f@oracle.com>
Date: Wed, 13 Mar 2019 20:32:23 -0700
From: Mike Kravetz <mike.kravetz@...cle.com>
To: Andrea Arcangeli <aarcange@...hat.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, Peter Xu <peterx@...hat.com>,
linux-kernel@...r.kernel.org, Hugh Dickins <hughd@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Maxime Coquelin <maxime.coquelin@...hat.com>,
kvm@...r.kernel.org, Jerome Glisse <jglisse@...hat.com>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Johannes Weiner <hannes@...xchg.org>,
Martin Cracauer <cracauer@...s.org>,
Denis Plotnikov <dplotnikov@...tuozzo.com>, linux-mm@...ck.org,
Marty McFadden <mcfadden8@...l.gov>,
Maya Gokhale <gokhale2@...l.gov>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Kees Cook <keescook@...omium.org>,
Mel Gorman <mgorman@...e.de>,
"Kirill A . Shutemov" <kirill@...temov.name>,
linux-fsdevel@...r.kernel.org,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
On 3/13/19 4:55 PM, Andrea Arcangeli wrote:
> On Wed, Mar 13, 2019 at 01:01:40PM -0700, Mike Kravetz wrote:
>> On 3/13/19 11:52 AM, Andrea Arcangeli wrote:
>>> Unless somebody suggests a consistent way to make hugetlbfs "just
>>> work" (like we could achieve clean with CRIU and KVM), I think Oracle
>>> will need a one liner change in the Oracle setup to echo into that
>>> file in addition of running the hugetlbfs mount.
>>
>> I think you are suggesting the DB setup process enable uffd for all users.
>> Correct?
>
> Yes. In addition of the hugetlbfs setup, various apps requires to also
> increase fs.inotify.max_user_watches or file-max and other tweaks,
> this would be one of those tweaks.
Yes, I agree.
It is just that unprivileged_userfaultfd disabled would likely to be the
default set by distros. Or, perhaps 'kvm'? Then, if you want to run the
DB, the admin (or the DB) will need to set it to enabled. And, this results
in it being enabled for everyone. I think I understand the scope of any
security exposure this would cause from a technical perspective. However,
I can imagine people being concerned about enabling everywhere if this is
not the default setting.
If it is OK to disable everywhere, why not just use disable for the kvm
use case as well? :)
>> This may be too simple, and I don't really like group access, but how about
>> just defining a uffd group? If you are in the group you can make uffd
>> system calls.
>
> Everything is possible, I'm just afraid it gets too complex.
>
> So you suggest to echo a gid into the file?
That is what I was thinking. But, I was mostly thinking of that because
Peter's earlier comment made me go and check hugetlbfs code. There is a
sysctl_hugetlb_shm_group variable that does this, even though it is mostly
unused in the hugetlbfs code.
I know the kvm dev open scheme works for kvm. Was just trying to think
of something more general that would work for hugetlbfs/DB or other use
cases.
--
Mike Kravetz
Powered by blists - more mailing lists