From: Andrea Arcangeli <aarcange@redhat.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Xu <peterx@redhat.com>,
linux-kernel@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Hugh Dickins <hughd@google.com>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
Maya Gokhale <gokhale2@llnl.gov>,
Jerome Glisse <jglisse@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Martin Cracauer <cracauer@cons.org>,
Denis Plotnikov <dplotnikov@virtuozzo.com>,
linux-mm@kvack.org, Marty McFadden <mcfadden8@llnl.gov>,
Mike Kravetz <mike.kravetz@oracle.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Kees Cook <keescook@chromium.org>, Mel Gorman <mgorman@suse.de>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2 1/1] userfaultfd/sysctl: add vm.unprivileged_userfaultfd
Date: Thu, 21 Mar 2019 17:06:17 -0400 [thread overview]
Message-ID: <20190321210617.GB22094@redhat.com> (raw)
In-Reply-To: <20190321134335.GB1146@42.do-not-panic.com>
Hello,
On Thu, Mar 21, 2019 at 01:43:35PM +0000, Luis Chamberlain wrote:
> On Wed, Mar 20, 2019 at 03:01:12PM -0400, Andrea Arcangeli wrote:
> > but
> > that would be better be achieved through SECCOMP and not globally.'.
>
> That begs the question why not use seccomp for this? What if everyone
> decided to add a knob for all syscalls to do the same? For the commit
> log, why is it OK then to justify a knob for this syscall?
That's a good point and it's obviously more secure because you can
block a lot more than just bpf and userfaultfd: however not all
syscalls have CONFIG_USERFAULTFD=n or CONFIG_BPF_SYSCALL=n that you
can set to =n at build time, then they'll return -ENOSYS (implemented
as sys_ni_syscall in the =n case).
The point of the bpf (already included upstream) and userfaultfd
(proposed) sysctl is to avoid users having to rebuild the kernel if
they want to harden their setup without being forced to run all
containers under seccomp, just like they could by setting those two
config options "=n" at build time.
So you can see it like allowing a runtime selection of
CONFIG_USERFAULTFD and CONFIG_BPF_SYSCALL without the kernel build
time config forcing the decision on behalf of the end user.
Thanks,
Andrea
WARNING: multiple messages have this Message-ID (diff)
From: Andrea Arcangeli <aarcange@redhat.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Xu <peterx@redhat.com>,
linux-kernel@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Hugh Dickins <hughd@google.com>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
Maya Gokhale <gokhale2@llnl.gov>,
Jerome Glisse <jglisse@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Martin Cracauer <cracauer@cons.org>,
Denis Plotnikov <dplotnikov@virtuozzo.com>,
linux-mm@kvack.org, Marty McFadden <mcfadden8@llnl.gov>,
Mike Kravetz <mike.kravetz@oracle.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Kees Cook <keescook@chromium.org>, Mel Gorman <mgorman@suse.de>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
linux-ap
Subject: Re: [PATCH v2 1/1] userfaultfd/sysctl: add vm.unprivileged_userfaultfd
Date: Thu, 21 Mar 2019 17:06:17 -0400 [thread overview]
Message-ID: <20190321210617.GB22094@redhat.com> (raw)
In-Reply-To: <20190321134335.GB1146@42.do-not-panic.com>
Hello,
On Thu, Mar 21, 2019 at 01:43:35PM +0000, Luis Chamberlain wrote:
> On Wed, Mar 20, 2019 at 03:01:12PM -0400, Andrea Arcangeli wrote:
> > but
> > that would be better be achieved through SECCOMP and not globally.'.
>
> That begs the question why not use seccomp for this? What if everyone
> decided to add a knob for all syscalls to do the same? For the commit
> log, why is it OK then to justify a knob for this syscall?
That's a good point and it's obviously more secure because you can
block a lot more than just bpf and userfaultfd: however not all
syscalls have CONFIG_USERFAULTFD=n or CONFIG_BPF_SYSCALL=n that you
can set to =n at build time, then they'll return -ENOSYS (implemented
as sys_ni_syscall in the =n case).
The point of the bpf (already included upstream) and userfaultfd
(proposed) sysctl is to avoid users having to rebuild the kernel if
they want to harden their setup without being forced to run all
containers under seccomp, just like they could by setting those two
config options "=n" at build time.
So you can see it like allowing a runtime selection of
CONFIG_USERFAULTFD and CONFIG_BPF_SYSCALL without the kernel build
time config forcing the decision on behalf of the end user.
Thanks,
Andrea
next prev parent reply other threads:[~2019-03-21 21:06 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-19 3:07 [PATCH v2 0/1] userfaultfd: allow to forbid unprivileged users Peter Xu
2019-03-19 3:07 ` Peter Xu
2019-03-19 3:07 ` [PATCH v2 1/1] userfaultfd/sysctl: add vm.unprivileged_userfaultfd Peter Xu
2019-03-19 3:07 ` Peter Xu
2019-03-19 7:11 ` Mike Rapoport
2019-03-19 7:11 ` Mike Rapoport
2019-03-19 18:07 ` Andrea Arcangeli
2019-03-19 18:07 ` Andrea Arcangeli
2019-03-19 18:02 ` Andrew Morton
2019-03-19 18:02 ` Andrew Morton
2019-03-19 18:28 ` Dr. David Alan Gilbert
2019-03-19 18:28 ` Dr. David Alan Gilbert
2019-03-20 0:20 ` Peter Xu
2019-03-20 0:20 ` Peter Xu
2019-03-20 19:01 ` Andrea Arcangeli
2019-03-20 19:01 ` Andrea Arcangeli
2019-03-21 13:43 ` Luis Chamberlain
2019-03-21 13:43 ` Luis Chamberlain
2019-03-21 21:06 ` Andrea Arcangeli [this message]
2019-03-21 21:06 ` Andrea Arcangeli
2019-04-23 22:19 ` Kees Cook
2019-04-23 22:19 ` Kees Cook
2019-04-23 22:19 ` Kees Cook
2020-05-27 6:54 Xiaoming Ni
2020-05-27 14:21 ` Peter Xu
2020-05-28 8:50 ` Xiaoming Ni
2020-05-28 12:49 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190321210617.GB22094@redhat.com \
--to=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=cracauer@cons.org \
--cc=dgilbert@redhat.com \
--cc=dplotnikov@virtuozzo.com \
--cc=gokhale2@llnl.gov \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kirill@shutemov.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maxime.coquelin@redhat.com \
--cc=mcfadden8@llnl.gov \
--cc=mcgrof@kernel.org \
--cc=mgorman@suse.de \
--cc=mike.kravetz@oracle.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=rppt@linux.vnet.ibm.com \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.