From: Axel Rasmussen <axelrasmussen@google.com>
To: Jonathan Corbet <corbet@lwn.net>
Cc: Peter Xu <peterx@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Charan Teja Reddy <charante@codeaurora.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>,
Hugh Dickins <hughd@google.com>, Jan Kara <jack@suse.cz>,
Mel Gorman <mgorman@techsingularity.net>,
Mike Kravetz <mike.kravetz@oracle.com>,
Mike Rapoport <rppt@kernel.org>, Nadav Amit <namit@vmware.com>,
Shuah Khan <shuah@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Vlastimil Babka <vbabka@suse.cz>, zhangyi <yi.zhang@huawei.com>,
linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
Linux MM <linux-mm@kvack.org>,
Linuxkselftest <linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH v3 2/6] userfaultfd: add /dev/userfaultfd for fine grained access control
Date: Tue, 14 Jun 2022 13:23:52 -0700 [thread overview]
Message-ID: <CAJHvVcjAnewRATU3AAZK+TFpNbfiVATfd1tt_ok2k+X+3s3dBA@mail.gmail.com> (raw)
In-Reply-To: <87k09kxi59.fsf@meer.lwn.net>
On Mon, Jun 13, 2022 at 4:23 PM Jonathan Corbet <corbet@lwn.net> wrote:
>
> Axel Rasmussen <axelrasmussen@google.com> writes:
>
> > I think for any approach involving syscalls, we need to be able to
> > control access to who can call a syscall. Maybe there's another way
> > I'm not aware of, but I think today the only mechanism to do this is
> > capabilities. I proposed adding a CAP_USERFAULTFD for this purpose,
> > but that approach was rejected [1]. So, I'm not sure of another way
> > besides using a device node.
>
> I take it there's a reason why this can't be done with a security module
> - either a custom module or a policy in one of the existing modules?
> That sort of access control is just what security modules are supposed
> to be for, after all.
>
> Thanks,
>
> jon
Admittedly I haven't tried proposing a patch, but I suspect there
would be pushback against adding an entirely new LSM just for this
case, similarly to the reasons the CAP_USERFAULTFD approach was
rejected.
For existing LSMs, I think SELinux can be used to restrict access to
syscalls. But then again, it's fairly heavy weight / difficult to
configure, and I suspect migrating production servers which don't use
it today would be a nontrivial undertaking. At least to me it seems
unfortunate to say, there isn't an obvious "safe" way to use
userfaultfd, without enabling + configuring selinux. (That assumes by
"safe" we mean, without granting wider-than necessary access to
userfaultfd, or without granting uffd-using processes more permissions
[root or CAP_SYS_PTRACE] to do their job.) I suspect if we do that
then in practice many? most? users will just either run UFFD programs
as root, or toggle the sysctl to allow unprivileged UFFD usage.
next prev parent reply other threads:[~2022-06-14 20:24 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-01 21:09 [PATCH v3 0/6] " Axel Rasmussen
2022-06-01 21:09 ` [PATCH v3 1/6] selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh Axel Rasmussen
2022-06-01 21:09 ` [PATCH v3 2/6] userfaultfd: add /dev/userfaultfd for fine grained access control Axel Rasmussen
2022-06-13 21:55 ` Andrew Morton
2022-06-13 22:29 ` Peter Xu
2022-06-13 22:38 ` Axel Rasmussen
2022-06-13 23:23 ` Jonathan Corbet
2022-06-14 20:23 ` Axel Rasmussen [this message]
2022-06-14 0:10 ` Nadav Amit
2022-06-15 0:55 ` Axel Rasmussen
2022-06-15 16:47 ` Nadav Amit
2022-06-14 19:09 ` Peter Xu
2022-06-15 0:53 ` Axel Rasmussen
2022-06-01 21:09 ` [PATCH v3 3/6] userfaultfd: selftests: modify selftest to use /dev/userfaultfd Axel Rasmussen
2022-06-14 19:25 ` Peter Xu
2022-06-01 21:09 ` [PATCH v3 4/6] userfaultfd: update documentation to describe /dev/userfaultfd Axel Rasmussen
2022-06-14 4:19 ` Mike Rapoport
2022-06-14 19:36 ` Peter Xu
2022-06-01 21:09 ` [PATCH v3 5/6] userfaultfd: selftests: make /dev/userfaultfd testing configurable Axel Rasmussen
2022-06-14 19:43 ` Peter Xu
2022-06-15 22:25 ` Nadav Amit
2022-06-01 21:09 ` [PATCH v3 6/6] selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Axel Rasmussen
2022-06-14 19:43 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJHvVcjAnewRATU3AAZK+TFpNbfiVATfd1tt_ok2k+X+3s3dBA@mail.gmail.com \
--to=axelrasmussen@google.com \
--cc=akpm@linux-foundation.org \
--cc=charante@codeaurora.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=glebfm@altlinux.org \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=ldv@altlinux.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@techsingularity.net \
--cc=mike.kravetz@oracle.com \
--cc=namit@vmware.com \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=shuah@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox