From: Daniel Colascione <dancol@google.com>
To: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
lokeshgidra@google.com, dancol@google.com, nnk@google.com
Cc: nosh@google.com, timmurray@google.com
Subject: [PATCH 6/7] Allow users to require UFFD_SECURE
Date: Sat, 12 Oct 2019 12:16:01 -0700 [thread overview]
Message-ID: <20191012191602.45649-7-dancol@google.com> (raw)
In-Reply-To: <20191012191602.45649-1-dancol@google.com>
This change adds 2 as an allowable value for
unprivileged_userfaultfd. (Previously, this sysctl could be either 0
or 1.) When unprivileged_userfaultfd is 2, users with CAP_SYS_PTRACE
may create userfaultfd with or without UFFD_SECURE, but users without
CAP_SYS_PTRACE must pass UFFD_SECURE to userfaultfd in order for the
system call to succeed, effectively forcing them to opt into
additional security checks.
Signed-off-by: Daniel Colascione <dancol@google.com>
---
Documentation/admin-guide/sysctl/vm.rst | 6 ++++--
fs/userfaultfd.c | 4 +++-
kernel/sysctl.c | 2 +-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
index 64aeee1009ca..6664eec7bd35 100644
--- a/Documentation/admin-guide/sysctl/vm.rst
+++ b/Documentation/admin-guide/sysctl/vm.rst
@@ -842,8 +842,10 @@ unprivileged_userfaultfd
This flag controls whether unprivileged users can use the userfaultfd
system calls. Set this to 1 to allow unprivileged users to use the
-userfaultfd system calls, or set this to 0 to restrict userfaultfd to only
-privileged users (with SYS_CAP_PTRACE capability).
+userfaultfd system calls, or set this to 0 to restrict userfaultfd to
+only privileged users (with SYS_CAP_PTRACE capability). If set to 2,
+unprivileged (non-SYS_CAP_PTRACE) users may use userfaultfd only if
+they pass the UFFD_SECURE, enabling MAC security checks.
The default value is 1.
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 986d23b2cd33..aaed9347973e 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1963,8 +1963,10 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
struct userfaultfd_ctx *ctx;
int fd;
static const int uffd_flags = UFFD_SECURE | UFFD_USER_MODE_ONLY;
+ bool need_cap_check = sysctl_unprivileged_userfaultfd == 0 ||
+ (sysctl_unprivileged_userfaultfd == 2 && !(flags & UFFD_SECURE));
- if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE))
+ if (need_cap_check && !capable(CAP_SYS_PTRACE))
return -EPERM;
BUG_ON(!current->mm);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 00fcea236eba..fc98d5df344e 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1738,7 +1738,7 @@ static struct ctl_table vm_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = SYSCTL_ZERO,
- .extra2 = SYSCTL_ONE,
+ .extra2 = &two,
},
#endif
{ }
--
2.23.0.700.g56cf767bdb-goog
next prev parent reply other threads:[~2019-10-12 19:16 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-12 19:15 [PATCH 0/7] Harden userfaultfd Daniel Colascione
2019-10-12 19:15 ` [PATCH 1/7] Add a new flags-accepting interface for anonymous inodes Daniel Colascione
2019-10-14 4:26 ` kbuild test robot
2019-10-14 4:26 ` kbuild test robot
2019-10-14 4:26 ` kbuild test robot
2019-10-14 15:38 ` Jann Horn
2019-10-14 18:15 ` Daniel Colascione
2019-10-14 18:30 ` Jann Horn
2019-10-15 8:08 ` Christoph Hellwig
2019-10-12 19:15 ` [PATCH 2/7] Add a concept of a "secure" anonymous file Daniel Colascione
2019-10-14 3:01 ` kbuild test robot
2019-10-14 3:01 ` kbuild test robot
2019-10-14 3:01 ` kbuild test robot
2019-10-15 8:08 ` Christoph Hellwig
2019-10-12 19:15 ` [PATCH 3/7] Add a UFFD_SECURE flag to the userfaultfd API Daniel Colascione
2019-10-12 23:10 ` Andy Lutomirski
2019-10-13 0:51 ` Daniel Colascione
2019-10-13 1:14 ` Andy Lutomirski
2019-10-13 1:38 ` Daniel Colascione
2019-10-14 16:04 ` Jann Horn
2019-10-23 19:09 ` Andrea Arcangeli
2019-10-23 19:21 ` Andy Lutomirski
2019-10-23 21:16 ` Andrea Arcangeli
2019-10-23 21:25 ` Andy Lutomirski
2019-10-23 22:41 ` Andrea Arcangeli
2019-10-23 23:01 ` Andy Lutomirski
2019-10-23 23:27 ` Andrea Arcangeli
2019-10-23 20:05 ` Daniel Colascione
2019-10-24 0:23 ` Andrea Arcangeli
2019-10-23 20:15 ` Linus Torvalds
2019-10-24 9:02 ` Mike Rapoport
2019-10-24 15:10 ` Andrea Arcangeli
2019-10-25 20:12 ` Mike Rapoport
2019-10-22 21:27 ` Daniel Colascione
2019-10-23 4:11 ` Andy Lutomirski
2019-10-23 7:29 ` Cyrill Gorcunov
2019-10-23 12:43 ` Mike Rapoport
2019-10-23 17:13 ` Andy Lutomirski
2019-10-12 19:15 ` [PATCH 4/7] Teach SELinux about a new userfaultfd class Daniel Colascione
2019-10-12 23:08 ` Andy Lutomirski
2019-10-13 0:11 ` Daniel Colascione
2019-10-13 0:46 ` Andy Lutomirski
2019-10-12 19:16 ` [PATCH 5/7] Let userfaultfd opt out of handling kernel-mode faults Daniel Colascione
2019-10-12 19:16 ` Daniel Colascione [this message]
2019-10-12 23:12 ` [PATCH 6/7] Allow users to require UFFD_SECURE Andy Lutomirski
2019-10-12 19:16 ` [PATCH 7/7] Add a new sysctl for limiting userfaultfd to user mode faults Daniel Colascione
2019-10-16 0:02 ` [PATCH 0/7] Harden userfaultfd James Morris
2019-11-15 15:09 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191012191602.45649-7-dancol@google.com \
--to=dancol@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=nnk@google.com \
--cc=nosh@google.com \
--cc=timmurray@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.