From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DCD96C19F2D
	for <linux-mm@archiver.kernel.org>; Thu, 11 Aug 2022 06:37:48 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 370DE8E0001; Thu, 11 Aug 2022 02:37:48 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3209B6B0074; Thu, 11 Aug 2022 02:37:48 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 20E878E0001; Thu, 11 Aug 2022 02:37:48 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 1438F6B0073
	for <linux-mm@kvack.org>; Thu, 11 Aug 2022 02:37:48 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id DFA9412071A
	for <linux-mm@kvack.org>; Thu, 11 Aug 2022 06:37:47 +0000 (UTC)
X-FDA: 79786356174.29.958BCC5
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
	by imf29.hostedemail.com (Postfix) with ESMTP id 49484120176
	for <linux-mm@kvack.org>; Thu, 11 Aug 2022 06:37:47 +0000 (UTC)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id D229CB81E93;
	Thu, 11 Aug 2022 06:37:45 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 879F9C433D6;
	Thu, 11 Aug 2022 06:37:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1660199864;
	bh=x207FYSJa7cUI/hPBLKm3lge12rqi5SLownAS+tQ2PU=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=P+gz12zRt5PPNOeWI+8t9bPR8S3Wg0llsJEQL75p3c3ObZtjpVcEja24kRPpKHaSH
	 A7u36ZwEgsKuqUTM+QsKNT9DbzKD+AtLtfNrlmrROJtaOabDHtqkeeS9q/jCu9EHaO
	 wu/zfMTKnLPxH5oeH+sYqXsGllBvIWZWFSSxR9lg7JfGw/B6ArK/gLFIqyGIXRGJTi
	 OKMla3FHwxm+r94GKQReLlM2nKQys9csaUkAr1r4GkqQXw0A/GTCzeRPuAXavfQypG
	 Oh7Am6CJIyakRhP9DRWOGTnQ29hQQaLDShSgU14EFHxlTF6y34SB8R7fe7ppvpYn7T
	 DIT5KA1GEeiFg==
Date: Thu, 11 Aug 2022 09:37:25 +0300
From: Mike Rapoport <rppt@kernel.org>
To: Axel Rasmussen <axelrasmussen@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"Dmitry V . Levin" <ldv@altlinux.org>,
	Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>,
	Hugh Dickins <hughd@google.com>, Jan Kara <jack@suse.cz>,
	Jonathan Corbet <corbet@lwn.net>,
	Mel Gorman <mgorman@techsingularity.net>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <namit@vmware.com>, Peter Xu <peterx@redhat.com>,
	Shuah Khan <shuah@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Vlastimil Babka <vbabka@suse.cz>, zhangyi <yi.zhang@huawei.com>,
	linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 2/5] userfaultfd: add /dev/userfaultfd for fine
 grained access control
Message-ID: <YvSjpYOM4m5JG0xQ@kernel.org>
References: <20220808175614.3885028-1-axelrasmussen@google.com>
 <20220808175614.3885028-3-axelrasmussen@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220808175614.3885028-3-axelrasmussen@google.com>
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=P+gz12zR;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf29.hostedemail.com: domain of rppt@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=rppt@kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660199867; a=rsa-sha256;
	cv=none;
	b=xVKjAQyyX99j1k6Y15XD4XBB/F/qZNW/nUQMRNA59DzTavtpD2yZ6kXQcug/pyLclW5URi
	v81tUdTNZbUpO7AIDRKXPvtX8xU4psoNJdrJbV3zcu552tt1KIvSpUChsGRczC67uXdOh+
	aMgX+Rxs5OwhzwZw40OmiliN3RHWh/4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1660199867;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=RcvzpcuPoW8+DqihqWcp4uXaa4+pA48bIELCJRKMt9I=;
	b=pUQlbi+xn8rR2FFh2YqXFZAFMPLOzB8C5T5ZSx+2RIia9wQZfCd3TTm3+9Z1VDDXYPz0a8
	ZGWTmBBM3OQLMT2/4ifkvHgTvKXYRotr5AjHnWA4GYVVz74+P8gT27PzwXYEZmmf9La6Ek
	qLmeGm9Og09Q69z3yG2Zcf+4IrfVYTw=
X-Rspam-User: 
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=P+gz12zR;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf29.hostedemail.com: domain of rppt@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=rppt@kernel.org
X-Stat-Signature: ax1xsbem9frujaz77kusduxi1dy73mgd
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: 49484120176
X-HE-Tag: 1660199867-479327
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Aug 08, 2022 at 10:56:11AM -0700, Axel Rasmussen wrote:
> Historically, it has been shown that intercepting kernel faults with
> userfaultfd (thereby forcing the kernel to wait for an arbitrary amount
> of time) can be exploited, or at least can make some kinds of exploits
> easier. So, in 37cd0575b8 "userfaultfd: add UFFD_USER_MODE_ONLY" we
> changed things so, in order for kernel faults to be handled by
> userfaultfd, either the process needs CAP_SYS_PTRACE, or this sysctl
> must be configured so that any unprivileged user can do it.
> 
> In a typical implementation of a hypervisor with live migration (take
> QEMU/KVM as one such example), we do indeed need to be able to handle
> kernel faults. But, both options above are less than ideal:
> 
> - Toggling the sysctl increases attack surface by allowing any
>   unprivileged user to do it.
> 
> - Granting the live migration process CAP_SYS_PTRACE gives it this
>   ability, but *also* the ability to "observe and control the
>   execution of another process [...], and examine and change [its]
>   memory and registers" (from ptrace(2)). This isn't something we need
>   or want to be able to do, so granting this permission violates the
>   "principle of least privilege".
> 
> This is all a long winded way to say: we want a more fine-grained way to
> grant access to userfaultfd, without granting other additional
> permissions at the same time.
> 
> To achieve this, add a /dev/userfaultfd misc device. This device
> provides an alternative to the userfaultfd(2) syscall for the creation
> of new userfaultfds. The idea is, any userfaultfds created this way will
> be able to handle kernel faults, without the caller having any special
> capabilities. Access to this mechanism is instead restricted using e.g.
> standard filesystem permissions.
> 
> Acked-by: Nadav Amit <namit@vmware.com>
> Acked-by: Peter Xu <peterx@redhat.com>
> Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>

Acked-by: Mike Rapoport <rppt@linux.ibm.com>

> ---
>  fs/userfaultfd.c                 | 73 +++++++++++++++++++++++++-------
>  include/uapi/linux/userfaultfd.h |  4 ++
>  2 files changed, 61 insertions(+), 16 deletions(-)

-- 
Sincerely yours,
Mike.