From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 653A8C43334
	for <linux-mm@archiver.kernel.org>; Tue, 14 Jun 2022 20:24:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E26906B0073; Tue, 14 Jun 2022 16:24:29 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DAFC26B0074; Tue, 14 Jun 2022 16:24:29 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C02D36B0075; Tue, 14 Jun 2022 16:24:29 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id AFC966B0073
	for <linux-mm@kvack.org>; Tue, 14 Jun 2022 16:24:29 -0400 (EDT)
Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 8203160C51
	for <linux-mm@kvack.org>; Tue, 14 Jun 2022 20:24:29 +0000 (UTC)
X-FDA: 79577969058.27.DA0155A
Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44])
	by imf19.hostedemail.com (Postfix) with ESMTP id 19DD41A0094
	for <linux-mm@kvack.org>; Tue, 14 Jun 2022 20:24:28 +0000 (UTC)
Received: by mail-io1-f44.google.com with SMTP id i16so10615094ioa.6
        for <linux-mm@kvack.org>; Tue, 14 Jun 2022 13:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=;
        b=gRVRxHZMe7GB0CMT7h68KGoW9wprnOjEoeTrdTux4jLVQBc6iVdCNm+kcl5WQF+Cz2
         JtExKCFNoo4EFeNNqD1eSojr64JLEV1BfzRV+EQZHSvC5LBywUXaf7kQiiOO235C86X4
         hNYJtch2R0PBiluBbXbdWKTzekpDDqXVBeRFj5DN1+VkM13YIRCzp3WG7Km0S+mA0uLj
         vrnR7unp0020iNc1qX1iTREpmwCXBKBpqjTpoKG3ANGjME/Yv9bcclsdEN26n4G6qFA3
         ac8RReknpeEI4OpUlVPxbdvgkyf0lalZQJIWbI5ZeHntnojVYz6B+Tiiecxqlao2LfIH
         17Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=;
        b=DtDrdWES0lw+O/u/DHdnUzw4NeuzDGpjzTZpbR+q/Y2udtCzQOKso4pw2R7scqWdjN
         ba5A8CbaNypyH+Y2vm18gHsOJ3oLdUfKLIXUb9acy901Pl6q2mPTajQmZEbKEhJnKrTm
         t+hcTJE++unemTkNHvjQrbazQKxyEvlSoOfm8vW08dYkZlMZb9n1R02VWIs4zKyP4Bus
         cUdTLYXumXvpME5LAmk+NTB5SH9FxFUjszKT9cyGXEkUmMqEbuxhPTyqP/43wM1o7ORm
         gmGOKa3rwUe3N/Eumlhzj6xh9O8land2L7Xi2nBnOy9JH3UyDdqeipA16lWsdyT5qogg
         DA0Q==
X-Gm-Message-State: AOAM532HZtGLXspFzHgkT+IFgIordR+RQTJUN7hBJ50GQudcAxbw+8Jc
	A+9pDQQ1EPD0+RUKvaxfH3DAIT9SSY8ZhALGjcwk/g==
X-Google-Smtp-Source: ABdhPJxLjAfk4yJjPZ49rC5OWFXh9ANQ837dlv+XDuJcCGSbPEAHdRsUXzEvf2lpgiu8Gw11a3UVil6vMRe/1LGT4wQ=
X-Received: by 2002:a6b:3e42:0:b0:669:ae49:589 with SMTP id
 l63-20020a6b3e42000000b00669ae490589mr3353488ioa.138.1655238268174; Tue, 14
 Jun 2022 13:24:28 -0700 (PDT)
MIME-Version: 1.0
References: <20220601210951.3916598-1-axelrasmussen@google.com>
 <20220601210951.3916598-3-axelrasmussen@google.com> <20220613145540.1c9f7750092911bae1332b92@linux-foundation.org>
 <Yqe6R+XSH+nFc8se@xz-m1.local> <CAJHvVchdmV42qCgO6j=zGBi0DeVcvW1OC88rHUP6V66Fg3CSww@mail.gmail.com>
 <87k09kxi59.fsf@meer.lwn.net>
In-Reply-To: <87k09kxi59.fsf@meer.lwn.net>
From: Axel Rasmussen <axelrasmussen@google.com>
Date: Tue, 14 Jun 2022 13:23:52 -0700
Message-ID: <CAJHvVcjAnewRATU3AAZK+TFpNbfiVATfd1tt_ok2k+X+3s3dBA@mail.gmail.com>
Subject: Re: [PATCH v3 2/6] userfaultfd: add /dev/userfaultfd for fine grained
 access control
To: Jonathan Corbet <corbet@lwn.net>
Cc: Peter Xu <peterx@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Alexander Viro <viro@zeniv.linux.org.uk>, Charan Teja Reddy <charante@codeaurora.org>, 
	Dave Hansen <dave.hansen@linux.intel.com>, "Dmitry V . Levin" <ldv@altlinux.org>, 
	Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>, Hugh Dickins <hughd@google.com>, Jan Kara <jack@suse.cz>, 
	Mel Gorman <mgorman@techsingularity.net>, Mike Kravetz <mike.kravetz@oracle.com>, 
	Mike Rapoport <rppt@kernel.org>, Nadav Amit <namit@vmware.com>, Shuah Khan <shuah@kernel.org>, 
	Suren Baghdasaryan <surenb@google.com>, Vlastimil Babka <vbabka@suse.cz>, zhangyi <yi.zhang@huawei.com>, 
	linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, 
	LKML <linux-kernel@vger.kernel.org>, Linux MM <linux-mm@kvack.org>, 
	Linuxkselftest <linux-kselftest@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655238269; a=rsa-sha256;
	cv=none;
	b=cqk9I2uVFsHTl5eB6lAgVuRpvmcGhF17vmO3CHISHduKO/hMNHrrJy5QHNazI5RbVP+yI4
	vHhZQWsnPEwRWT4IyZtmmOHm75TCwrVhuj1jxN+l+IbqWeXGZ+9YOmHiQo7PIWD+6BESUE
	m690tYF+zHkkAJSDDfbc7dvA3xzGdjk=
ARC-Authentication-Results: i=1;
	imf19.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=gRVRxHZM;
	spf=pass (imf19.hostedemail.com: domain of axelrasmussen@google.com designates 209.85.166.44 as permitted sender) smtp.mailfrom=axelrasmussen@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1655238269;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=vaTd6J5QW2zH+C0RW1NLJUMn73O3x7V9fILF9tLqrzI=;
	b=KNp4zHx+WR2EtgRQowuMGBwoGnwJLz9gWAtFXqkBNaStXD7AG/T8IUaMK3lMLf8ofA568x
	MdKfivPqJsWHT9cPWBM5iRRgGNJ+JH/FEjtCUZVxruKRUqXq3bTuumTnsIghu4hHGiu/am
	b2K6edQSwhXHHVzeolR+QaTuheh+Svw=
X-Stat-Signature: 6tagasa6tziyqra5b4m3udjp9os8kda4
X-Rspamd-Queue-Id: 19DD41A0094
Authentication-Results: imf19.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=gRVRxHZM;
	spf=pass (imf19.hostedemail.com: domain of axelrasmussen@google.com designates 209.85.166.44 as permitted sender) smtp.mailfrom=axelrasmussen@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam07
X-Rspam-User: 
X-HE-Tag: 1655238268-474122
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Jun 13, 2022 at 4:23 PM Jonathan Corbet <corbet@lwn.net> wrote:
>
> Axel Rasmussen <axelrasmussen@google.com> writes:
>
> > I think for any approach involving syscalls, we need to be able to
> > control access to who can call a syscall. Maybe there's another way
> > I'm not aware of, but I think today the only mechanism to do this is
> > capabilities. I proposed adding a CAP_USERFAULTFD for this purpose,
> > but that approach was rejected [1]. So, I'm not sure of another way
> > besides using a device node.
>
> I take it there's a reason why this can't be done with a security module
> - either a custom module or a policy in one of the existing modules?
> That sort of access control is just what security modules are supposed
> to be for, after all.
>
> Thanks,
>
> jon

Admittedly I haven't tried proposing a patch, but I suspect there
would be pushback against adding an entirely new LSM just for this
case, similarly to the reasons the CAP_USERFAULTFD approach was
rejected.

For existing LSMs, I think SELinux can be used to restrict access to
syscalls. But then again, it's fairly heavy weight / difficult to
configure, and I suspect migrating production servers which don't use
it today would be a nontrivial undertaking. At least to me it seems
unfortunate to say, there isn't an obvious "safe" way to use
userfaultfd, without enabling + configuring selinux. (That assumes by
"safe" we mean, without granting wider-than necessary access to
userfaultfd, or without granting uffd-using processes more permissions
[root or CAP_SYS_PTRACE] to do their job.) I suspect if we do that
then in practice many? most? users will just either run UFFD programs
as root, or toggle the sysctl to allow unprivileged UFFD usage.