From: Andrea Arcangeli <aarcange@redhat.com>
To: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>,
linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>,
Luis Chamberlain <mcgrof@kernel.org>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
kvm@vger.kernel.org, Jerome Glisse <jglisse@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Martin Cracauer <cracauer@cons.org>,
Denis Plotnikov <dplotnikov@virtuozzo.com>,
linux-mm@kvack.org, Marty McFadden <mcfadden8@llnl.gov>,
Maya Gokhale <gokhale2@llnl.gov>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Kees Cook <keescook@chromium.org>, Mel Gorman <mgorman@suse.de>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
linux-fsdevel@vger.kernel.org,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
Date: Wed, 13 Mar 2019 19:55:34 -0400 [thread overview]
Message-ID: <20190313235534.GK25147@redhat.com> (raw)
In-Reply-To: <e1fcdd99-20d3-c161-8a05-b98b8036137c@oracle.com>
On Wed, Mar 13, 2019 at 01:01:40PM -0700, Mike Kravetz wrote:
> On 3/13/19 11:52 AM, Andrea Arcangeli wrote:
> >
> > hugetlbfs is more complicated to detect, because even if you inherit
> > it from fork(), the services that mounts the fs may be in a different
> > container than the one that Oracle that uses userfaultfd later on down
> > the road from a different context. And I don't think it would be ok to
> > allow running userfaultfd just because you can open a file in an
> > hugetlbfs file system. With /dev/kvm it's a bit different, that's
> > chmod o-r by default.. no luser should be able to open it.
> >
> > Unless somebody suggests a consistent way to make hugetlbfs "just
> > work" (like we could achieve clean with CRIU and KVM), I think Oracle
> > will need a one liner change in the Oracle setup to echo into that
> > file in addition of running the hugetlbfs mount.
>
> I think you are suggesting the DB setup process enable uffd for all users.
> Correct?
Yes. In addition of the hugetlbfs setup, various apps requires to also
increase fs.inotify.max_user_watches or file-max and other tweaks,
this would be one of those tweaks.
> This may be too simple, and I don't really like group access, but how about
> just defining a uffd group? If you are in the group you can make uffd
> system calls.
Everything is possible, I'm just afraid it gets too complex.
So you suggest to echo a gid into the file?
WARNING: multiple messages have this Message-ID (diff)
From: Andrea Arcangeli <aarcange@redhat.com>
To: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>,
linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>,
Luis Chamberlain <mcgrof@kernel.org>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
kvm@vger.kernel.org, Jerome Glisse <jglisse@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Martin Cracauer <cracauer@cons.org>,
Denis Plotnikov <dplotnikov@virtuozzo.com>,
linux-mm@kvack.org, Marty McFadden <mcfadden8@llnl.gov>,
Maya Gokhale <gokhale2@llnl.gov>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Kees Cook <keescook@chromium.org>, Mel Gorman <mgorman@suse.de>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
linux-fsdevel@vger.kernel.org,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
Andrew M
Subject: Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
Date: Wed, 13 Mar 2019 19:55:34 -0400 [thread overview]
Message-ID: <20190313235534.GK25147@redhat.com> (raw)
In-Reply-To: <e1fcdd99-20d3-c161-8a05-b98b8036137c@oracle.com>
On Wed, Mar 13, 2019 at 01:01:40PM -0700, Mike Kravetz wrote:
> On 3/13/19 11:52 AM, Andrea Arcangeli wrote:
> >
> > hugetlbfs is more complicated to detect, because even if you inherit
> > it from fork(), the services that mounts the fs may be in a different
> > container than the one that Oracle that uses userfaultfd later on down
> > the road from a different context. And I don't think it would be ok to
> > allow running userfaultfd just because you can open a file in an
> > hugetlbfs file system. With /dev/kvm it's a bit different, that's
> > chmod o-r by default.. no luser should be able to open it.
> >
> > Unless somebody suggests a consistent way to make hugetlbfs "just
> > work" (like we could achieve clean with CRIU and KVM), I think Oracle
> > will need a one liner change in the Oracle setup to echo into that
> > file in addition of running the hugetlbfs mount.
>
> I think you are suggesting the DB setup process enable uffd for all users.
> Correct?
Yes. In addition of the hugetlbfs setup, various apps requires to also
increase fs.inotify.max_user_watches or file-max and other tweaks,
this would be one of those tweaks.
> This may be too simple, and I don't really like group access, but how about
> just defining a uffd group? If you are in the group you can make uffd
> system calls.
Everything is possible, I'm just afraid it gets too complex.
So you suggest to echo a gid into the file?
next prev parent reply other threads:[~2019-03-13 23:55 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 9:36 [PATCH 0/3] userfaultfd: allow to forbid unprivileged users Peter Xu
2019-03-11 9:36 ` Peter Xu
2019-03-11 9:36 ` [PATCH 1/3] userfaultfd/sysctl: introduce unprivileged_userfaultfd Peter Xu
2019-03-11 9:36 ` Peter Xu
2019-03-12 6:58 ` Mike Rapoport
2019-03-12 6:58 ` Mike Rapoport
2019-03-12 12:26 ` Peter Xu
2019-03-12 12:26 ` Peter Xu
2019-03-12 13:53 ` Mike Rapoport
2019-03-12 13:53 ` Mike Rapoport
2019-03-11 9:37 ` [PATCH 2/3] kvm/mm: introduce MMF_USERFAULTFD_ALLOW flag Peter Xu
2019-03-11 9:37 ` Peter Xu
2019-03-11 9:37 ` [PATCH 3/3] userfaultfd: apply unprivileged_userfaultfd check Peter Xu
2019-03-11 9:37 ` Peter Xu
2019-03-11 9:58 ` Peter Xu
2019-03-11 9:58 ` Peter Xu
2019-03-12 7:01 ` [PATCH 0/3] userfaultfd: allow to forbid unprivileged users Mike Rapoport
2019-03-12 7:01 ` Mike Rapoport
2019-03-12 12:29 ` Peter Xu
2019-03-12 12:29 ` Peter Xu
2019-03-12 7:49 ` Kirill A. Shutemov
2019-03-12 7:49 ` Kirill A. Shutemov
2019-03-12 7:49 ` Kirill A. Shutemov
2019-03-12 12:43 ` Peter Xu
2019-03-12 12:43 ` Peter Xu
2019-03-12 12:43 ` Peter Xu
2019-03-12 19:59 ` Mike Kravetz
2019-03-12 19:59 ` Mike Kravetz
2019-03-13 6:00 ` Peter Xu
2019-03-13 6:00 ` Peter Xu
2019-03-13 8:22 ` Paolo Bonzini
2019-03-13 8:22 ` Paolo Bonzini
2019-03-13 18:52 ` Andrea Arcangeli
2019-03-13 18:52 ` Andrea Arcangeli
2019-03-13 19:12 ` Paolo Bonzini
2019-03-13 19:12 ` Paolo Bonzini
2019-03-13 19:12 ` Paolo Bonzini
2019-03-13 23:44 ` Andrea Arcangeli
2019-03-13 23:44 ` Andrea Arcangeli
2019-03-14 10:58 ` Paolo Bonzini
2019-03-14 10:58 ` Paolo Bonzini
2019-03-14 15:23 ` Alexei Starovoitov
2019-03-14 15:23 ` Alexei Starovoitov
2019-03-14 15:23 ` Alexei Starovoitov
2019-03-14 16:00 ` Paolo Bonzini
2019-03-14 16:00 ` Paolo Bonzini
2019-03-14 16:16 ` Andrea Arcangeli
2019-03-14 16:16 ` Andrea Arcangeli
2019-03-15 16:09 ` Kees Cook
2019-03-15 16:09 ` Kees Cook
2019-03-15 16:09 ` Kees Cook
2019-03-13 20:01 ` Mike Kravetz
2019-03-13 23:55 ` Andrea Arcangeli [this message]
2019-03-13 23:55 ` Andrea Arcangeli
2019-03-14 3:32 ` Mike Kravetz
2019-03-14 3:32 ` Mike Kravetz
2019-03-13 17:50 ` Mike Kravetz
2019-03-13 17:50 ` Mike Kravetz
2019-03-15 8:26 ` Peter Xu
2019-03-15 8:26 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313235534.GK25147@redhat.com \
--to=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=cracauer@cons.org \
--cc=dgilbert@redhat.com \
--cc=dplotnikov@virtuozzo.com \
--cc=gokhale2@llnl.gov \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maxime.coquelin@redhat.com \
--cc=mcfadden8@llnl.gov \
--cc=mcgrof@kernel.org \
--cc=mgorman@suse.de \
--cc=mike.kravetz@oracle.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=rppt@linux.vnet.ibm.com \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.