From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 385BCC43334
	for <linux-mm@archiver.kernel.org>; Tue, 19 Jul 2022 21:18:41 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 900076B0072; Tue, 19 Jul 2022 17:18:40 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8B0D26B0073; Tue, 19 Jul 2022 17:18:40 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7792A6B0074; Tue, 19 Jul 2022 17:18:40 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 6A0266B0072
	for <linux-mm@kvack.org>; Tue, 19 Jul 2022 17:18:40 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 3D7B112036D
	for <linux-mm@kvack.org>; Tue, 19 Jul 2022 21:18:40 +0000 (UTC)
X-FDA: 79705113600.11.D4C6C8D
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by imf06.hostedemail.com (Postfix) with ESMTP id BF01318005A
	for <linux-mm@kvack.org>; Tue, 19 Jul 2022 21:18:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1658265519;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=qQ4UdihwA3u3irfHx6eGnZO09RoO1lQsj+Krqj+1YXg=;
	b=B/JdtpHQWtKdfD+LvEB+aT/uqawBNZCOUx0Edeto+TFfdEW2Jr4SoyfjiPvbSpSJBS0CFV
	ydKfnm356G+0QfFDLbQUODC3H7Cbx+ye2qe+RSOyxUaTEGDeTPv7kDXD1CKwASVEfElpU7
	nkOrYqjuBsslp+s5Ga5JZWFPX1MTQDs=
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com
 [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-629-PTpdAb--OVaS2WP9zhpTEg-1; Tue, 19 Jul 2022 17:18:38 -0400
X-MC-Unique: PTpdAb--OVaS2WP9zhpTEg-1
Received: by mail-qt1-f199.google.com with SMTP id a10-20020ac84d8a000000b0031ee6389b7eso6348374qtw.6
        for <linux-mm@kvack.org>; Tue, 19 Jul 2022 14:18:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=qQ4UdihwA3u3irfHx6eGnZO09RoO1lQsj+Krqj+1YXg=;
        b=ZPwkIesPepjTV8x7m78cCv8UGw4XwCwsgPk5GETI+vdMiSnExtKlfHpbB34LdbI6zw
         8oMllF+Tzr1Z9tKK9poEpVW83AHbwADLhmU5wM++X3fPVldN9qb96Ql3UGZ7EugtmjgT
         4SRFqyu0vP/jjEWtNmB4ErgD9y2KuyJwOLV1W5kGDA5mxK2z4JJeJEs0Ob9Td2AoyuHb
         Q4bTzLXEU5whx3HIB8jk6t2qelaLQCTTjeTyn+e9FNcHPU7eCLsp6L3ZH5b6CBbQxVye
         HAwPDe+ayH2hADjUgcjB/mBfwtkZ470Mts+FwYtgEN6Sai0rCrW/VdG42aRPXo9QwwOP
         iQlA==
X-Gm-Message-State: AJIora/udLJXHCeXavh54T4RXGQkH3YRgjK2e8xVnkT3gtc37j0RHX1m
	8/rxdkfeZBeTtW5Ah3AYRcp3iuSjR2qHSsZ3soBzU53t1s7ZRyeItf63S8pKI6OfJCftaATGPsR
	yO1NEHR+op+g=
X-Received: by 2002:a05:620a:469f:b0:6b6:74c:6b10 with SMTP id bq31-20020a05620a469f00b006b6074c6b10mr2002414qkb.80.1658265517811;
        Tue, 19 Jul 2022 14:18:37 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1solk9LbHq5kw8KaBY3e4msSDmv+aW7vjooY/eq2+EXMQV5yRa7rp8kr6cJ8pNcJb3bUwoNpA==
X-Received: by 2002:a05:620a:469f:b0:6b6:74c:6b10 with SMTP id bq31-20020a05620a469f00b006b6074c6b10mr2002393qkb.80.1658265517591;
        Tue, 19 Jul 2022 14:18:37 -0700 (PDT)
Received: from xz-m1.local (bras-base-aurron9127w-grc-37-74-12-30-48.dsl.bell.ca. [74.12.30.48])
        by smtp.gmail.com with ESMTPSA id s10-20020ac85eca000000b0031ede43512bsm8530570qtx.44.2022.07.19.14.18.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Jul 2022 14:18:37 -0700 (PDT)
Date: Tue, 19 Jul 2022 17:18:34 -0400
From: Peter Xu <peterx@redhat.com>
To: Axel Rasmussen <axelrasmussen@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"Dmitry V . Levin" <ldv@altlinux.org>,
	Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>,
	Hugh Dickins <hughd@google.com>, Jan Kara <jack@suse.cz>,
	Jonathan Corbet <corbet@lwn.net>,
	Mel Gorman <mgorman@techsingularity.net>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Mike Rapoport <rppt@kernel.org>, Nadav Amit <namit@vmware.com>,
	Shuah Khan <shuah@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Vlastimil Babka <vbabka@suse.cz>, zhangyi <yi.zhang@huawei.com>,
	linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v4 2/5] userfaultfd: add /dev/userfaultfd for fine
 grained access control
Message-ID: <YtcfqpmpkVXz/Frl@xz-m1.local>
References: <20220719195628.3415852-1-axelrasmussen@google.com>
 <20220719195628.3415852-3-axelrasmussen@google.com>
MIME-Version: 1.0
In-Reply-To: <20220719195628.3415852-3-axelrasmussen@google.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="B/JdtpHQ";
	spf=none (imf06.hostedemail.com: domain of peterx@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=peterx@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1658265519;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=qQ4UdihwA3u3irfHx6eGnZO09RoO1lQsj+Krqj+1YXg=;
	b=K5FvWmr9P4dQtYcaQyOR9HFN8OXT+W07d1v0PX8Gs/C3D6ldYJBKqoToCf4PZdTkScxlXS
	372mbcjk4daAt+dGgYs8fzYBifLEtpXaCNjkZc1kySSzRkSxgiMTYmaJ0DCbjIOSv7vHGj
	603vhlv0ANyswDwHUrhl5dlNpx7lU2k=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658265519; a=rsa-sha256;
	cv=none;
	b=di+ToZXxDUMZdRrAuz5NdOAB2YRPIiTx2uK1rcP4CpApmeENDqq5yw4iCCYDTuwNC8YA5f
	F8Gdtue5iJGMYX7R+DkxNzlmK685JjMKs15yQ94IEvWROEbulaeQ1QzWYW7MFKwoSCAQ1J
	rkf/FwK1UysbNkoSVJmx/La0ViT4anw=
X-Rspam-User: 
X-Rspamd-Queue-Id: BF01318005A
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="B/JdtpHQ";
	spf=none (imf06.hostedemail.com: domain of peterx@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=peterx@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
X-Stat-Signature: nwtp48eqryakcjsgqqyiheg37zd53ska
X-Rspamd-Server: rspam07
X-HE-Tag: 1658265519-344737
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Jul 19, 2022 at 12:56:25PM -0700, Axel Rasmussen wrote:
> Historically, it has been shown that intercepting kernel faults with
> userfaultfd (thereby forcing the kernel to wait for an arbitrary amount
> of time) can be exploited, or at least can make some kinds of exploits
> easier. So, in 37cd0575b8 "userfaultfd: add UFFD_USER_MODE_ONLY" we
> changed things so, in order for kernel faults to be handled by
> userfaultfd, either the process needs CAP_SYS_PTRACE, or this sysctl
> must be configured so that any unprivileged user can do it.
> 
> In a typical implementation of a hypervisor with live migration (take
> QEMU/KVM as one such example), we do indeed need to be able to handle
> kernel faults. But, both options above are less than ideal:
> 
> - Toggling the sysctl increases attack surface by allowing any
>   unprivileged user to do it.
> 
> - Granting the live migration process CAP_SYS_PTRACE gives it this
>   ability, but *also* the ability to "observe and control the
>   execution of another process [...], and examine and change [its]
>   memory and registers" (from ptrace(2)). This isn't something we need
>   or want to be able to do, so granting this permission violates the
>   "principle of least privilege".
> 
> This is all a long winded way to say: we want a more fine-grained way to
> grant access to userfaultfd, without granting other additional
> permissions at the same time.
> 
> To achieve this, add a /dev/userfaultfd misc device. This device
> provides an alternative to the userfaultfd(2) syscall for the creation
> of new userfaultfds. The idea is, any userfaultfds created this way will
> be able to handle kernel faults, without the caller having any special
> capabilities. Access to this mechanism is instead restricted using e.g.
> standard filesystem permissions.
> 
> Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>

Thanks, this looks much better.

Acked-by: Peter Xu <peterx@redhat.com>

-- 
Peter Xu