linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK
@ 2019-11-05 15:29 Mike Rapoport
  2019-11-05 15:29 ` [PATCH 1/1] " Mike Rapoport
  0 siblings, 1 reply; 24+ messages in thread
From: Mike Rapoport @ 2019-11-05 15:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Andrea Arcangeli, Andrew Morton, Andy Lutomirski,
	Daniel Colascione, Jann Horn, Linus Torvalds, Lokesh Gidra,
	Nick Kralevich, Nosh Minwalla, Pavel Emelyanov, Tim Murray,
	linux-api, linux-mm, Mike Rapoport

Hi,

A while ago Andy noticed [1] that UFFD_FEATURE_EVENT_FORK used by an
unprivileged user may have security implications.

As the first step of the solution the following patch limits the
availably of UFFD_FEATURE_EVENT_FORK only for those having CAP_SYS_PTRACE.

The usage of CAP_SYS_PTRACE ensures compatibility with CRIU.

Yet, if there are other users of non-cooperative userfaultfd that run
without CAP_SYS_PTRACE, they would be broken :(

[1] https://lore.kernel.org/lkml/CALCETrWY+5ynDct7eU_nDUqx=okQvjm=Y5wJvA4ahBja=CQXGw@mail.gmail.com

Mike Rapoport (1):
  userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK

 fs/userfaultfd.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

-- 
2.7.4



^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2019-11-10 17:03 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-05 15:29 [PATCH 0/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK Mike Rapoport
2019-11-05 15:29 ` [PATCH 1/1] " Mike Rapoport
2019-11-05 15:37   ` Andrea Arcangeli
2019-11-05 15:55   ` Daniel Colascione
2019-11-05 16:00     ` Andy Lutomirski
2019-11-05 16:06       ` Daniel Colascione
2019-11-05 16:33         ` Andrea Arcangeli
2019-11-05 16:39           ` Daniel Colascione
2019-11-05 16:55             ` Andrea Arcangeli
2019-11-05 17:02               ` Daniel Colascione
2019-11-05 17:30                 ` Andrea Arcangeli
2019-11-05 22:01                 ` Andy Lutomirski
2019-11-05 22:10                   ` Daniel Colascione
2019-11-05 16:24       ` Andrea Arcangeli
2019-11-05 16:41         ` Daniel Colascione
2019-11-07  8:39           ` Mike Rapoport
2019-11-07  8:54             ` Daniel Colascione
2019-11-07 15:38               ` Andrea Arcangeli
2019-11-07 16:15                 ` Daniel Colascione
2019-11-07 18:22                   ` Andrea Arcangeli
2019-11-07 18:50                     ` Daniel Colascione
2019-11-07 19:27                       ` Andrea Arcangeli
2019-11-10 17:02                     ` Andy Lutomirski
2019-11-05 15:59   ` Aleksa Sarai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).