From: Axel Rasmussen <axelrasmussen@google.com>
To: Peter Xu <peterxu@google.com>, Andrea Arcangeli <aarcange@redhat.com>
Cc: Linux MM <linux-mm@kvack.org>,
James Houghton <jthoughton@google.com>,
Lokesh Gidra <lokeshgidra@google.com>
Subject: Adding a new capability for userfaultfd?
Date: Fri, 21 May 2021 15:41:07 -0700 [thread overview]
Message-ID: <CAJHvVciQWBM3LGHf+yU-3Dt8oFJfHWLE=O=U1EiSQ25dTQ8Tqg@mail.gmail.com> (raw)
Hi all,
Somewhat recently, this series [1] added UFFD_USER_MODE_ONLY. The idea
is, letting userspace intercept kernel faults opens a potential attack
surface, so it's better to restrict this by default.
However, consider the use case of live migration. We have some
userspace process on the migration target, which needs to handle
kernel faults. With this series, we have two options:
1. Grant this userspace process more privileges - CAP_SYS_PTRACE, run
as root, etc.
2. Disable the UFFD_USER_MODE_ONLY restriction, via vm.userfault.
We would prefer not to do (2), as this opens up the attack surface [1]
was originally trying to address. We'd also prefer not to do (1),
because it sort of grants the live migration handler the permissions
it needs, *plus a lot more*. It's sort of not fine grained enough.
So, what are your thoughts on adding a new CAP_USERFAULTFD, as a more
fine grained way to grant this specific permission? It seems like
there is some precedent for this - take CAP_CHECKPOINT_RESTORE, for
example.
If this passes a quick sanity check, I can send a series which does
this for review.
Thanks!
[1]: https://lore.kernel.org/patchwork/cover/1342060/
reply other threads:[~2021-05-21 22:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJHvVciQWBM3LGHf+yU-3Dt8oFJfHWLE=O=U1EiSQ25dTQ8Tqg@mail.gmail.com' \
--to=axelrasmussen@google.com \
--cc=aarcange@redhat.com \
--cc=jthoughton@google.com \
--cc=linux-mm@kvack.org \
--cc=lokeshgidra@google.com \
--cc=peterxu@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox