From patchwork Mon Mar 11 09:37:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 10847133 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6869B14DE for ; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5439D28FBD for ; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 488A128FD4; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE3B528FBD for ; Mon, 11 Mar 2019 09:37:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 025788E0010; Mon, 11 Mar 2019 05:37:44 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id F160D8E0002; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E059D8E0010; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by kanga.kvack.org (Postfix) with ESMTP id BAA588E0002 for ; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) Received: by mail-qt1-f198.google.com with SMTP id f15so900005qtk.16 for ; Mon, 11 Mar 2019 02:37:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=XR4pYl9tGrZmg1P3ZFPkJ/fJzo0KOPocn85f2y3YdsI=; b=bU/Af+I6rY7kAetcyUiom7sCu4mw0x2kRuXBy3vchHKWcAZjMhmJlPBwMxGc7wkaXb LAB9jFC7tTCfmqoQOYxFx28IPPfdtV8LEp39vTfj7kcw4GvVfkAdsSH6NjUOpqVB/k8f St3h6RAPMVF+9v1UtgvQyR+17cH2D2ptGVQiWWFUVMQ5dbP2cm5mUjHVqnC5CdbAz/6o noOsypmNwIuBZAYaFp5dtukv5VRM3/+qSd+pI1QgXWpW+YicT0P6mrqsvCxDhRKgw+GA O16tPVMf52pxunN6PdsqJNbVsSPIdQDD2ZJd8xgdLIPi+l7pKNHrqQwoEdDWTFiG0iBe m4Gg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: APjAAAU+uAwI3+rNFiy1aU9SGWW6U7/qO+zeSPBtCfk4SRU0ZAryD25o spiu/5QvQY0FsBwA4i8d/GBadgDxuP/OyjjnsTBeS5i6HGRmJvqunJiZ+C5Uj3eT1pdtBvCnD7R zLA1P7w06GTxpMc79+lo/wC75yuj7iKmuCTBKGffMjvXWC4WQv9EdmkJwL6mVLJ9ONA== X-Received: by 2002:a37:7e83:: with SMTP id z125mr15663075qkc.351.1552297063503; Mon, 11 Mar 2019 02:37:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzErwavpn/Vxz2Br4Fuy06JFXA/O8aHcufg5EN+e/yceLR/6pe6UvdKHaglG6oclbF9JJHK X-Received: by 2002:a37:7e83:: with SMTP id z125mr15663048qkc.351.1552297062512; Mon, 11 Mar 2019 02:37:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552297062; cv=none; d=google.com; s=arc-20160816; b=0nVbaLBsgpdJcWJEeSO7RG2Reev6LtUTiDBaqn10tu7xi1GCgeHEVUMlKyOFjJ2rIc Qr0xcsh8RMJSAdr6tSCux3W+1+LArkL6pGV3W/1YHGYx/Cx2Ds5naY/X+PlhgAKt0uE9 FouyCSExUBSRphDM+OaWuxmaGGecmlabKGQY5hccolrZbsLdyPQR3Lc06TY6UF3sxA6w u5xTGPcKzrmU5DrBdQTWiexubT3lPVFletCeOjVCEa0sNZbWF8WkCM7ql4LqzNr7TlVz 4fcKf47X+ZwH3qdUfq9OFVJBRFgvRjQEXbSirzYuBc8OnAnss6F6dSQcVuGg8x4Agxdr AELA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=XR4pYl9tGrZmg1P3ZFPkJ/fJzo0KOPocn85f2y3YdsI=; b=BwlST+cW+D32jbaTOTXo4h76OJ+E1+TXvsS2/HVEF/Hi/AYdv8t2ajIRfqIEk//lsi /IgeWUCVKS/DjmnEmBLawngdvv2In15JYd+oWd1rjYHF1c7PTPUgLy3XaxkerI4QRPi+ gQC75NcHjv64i6PKYm4o19Ed9WIWZKnsvQ0cEjEuBSPz27Z6axj3sX02t4kpd09kAssF aBKXPB8fDHnsk292GvUd0QRuzlcZABhjSeUkkuHIFyybfSq7CKxFaa3HXSmjxI98fJdP wbcrPyCMLgKFuGFb67h7zqSxljo/a6aoFriYzZQYckFvcdkuw0gASYqldzR0QXz6IX/O hAUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id u27si1041902qtk.279.2019.03.11.02.37.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 02:37:42 -0700 (PDT) Received-SPF: pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A7D2EC002965; Mon, 11 Mar 2019 09:37:41 +0000 (UTC) Received: from xz-x1.nay.redhat.com (dhcp-14-116.nay.redhat.com [10.66.14.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3B195D705; Mon, 11 Mar 2019 09:37:34 +0000 (UTC) From: Peter Xu To: linux-kernel@vger.kernel.org Cc: Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , kvm@vger.kernel.org, Jerome Glisse , Pavel Emelyanov , Johannes Weiner , peterx@redhat.com, Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Maya Gokhale , Mike Kravetz , Andrea Arcangeli , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-fsdevel@vger.kernel.org, "Dr . David Alan Gilbert" , Andrew Morton Subject: [PATCH 3/3] userfaultfd: apply unprivileged_userfaultfd check Date: Mon, 11 Mar 2019 17:37:01 +0800 Message-Id: <20190311093701.15734-4-peterx@redhat.com> In-Reply-To: <20190311093701.15734-1-peterx@redhat.com> References: <20190311093701.15734-1-peterx@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 11 Mar 2019 09:37:41 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Apply the unprivileged_userfaultfd check when doing userfaultfd syscall. We didn't check it in other paths of userfaultfd (e.g., the ioctl() path) because we don't want to drag down the fast path of userfaultfd, as suggested by Andrea. Suggested-by: Andrea Arcangeli Suggested-by: Mike Rapoport Signed-off-by: Peter Xu --- fs/userfaultfd.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index c2188464555a..effdcfc88629 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -951,6 +951,28 @@ void userfaultfd_unmap_complete(struct mm_struct *mm, struct list_head *uf) } } +/* Whether current process allows to use userfaultfd syscalls */ +static bool userfaultfd_allowed(void) +{ + bool allowed = false; + + switch (unprivileged_userfaultfd) { + case UFFD_UNPRIV_ENABLED: + allowed = true; + break; + case UFFD_UNPRIV_KVM: + allowed = !!test_bit(MMF_USERFAULTFD_ALLOW, + ¤t->mm->flags); + /* Fall through */ + case UFFD_UNPRIV_DISABLED: + allowed = allowed || ns_capable(current_user_ns(), + CAP_SYS_PTRACE); + break; + } + + return allowed; +} + static int userfaultfd_release(struct inode *inode, struct file *file) { struct userfaultfd_ctx *ctx = file->private_data; @@ -2018,6 +2040,9 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) BUILD_BUG_ON(UFFD_CLOEXEC != O_CLOEXEC); BUILD_BUG_ON(UFFD_NONBLOCK != O_NONBLOCK); + if (!userfaultfd_allowed()) + return -EPERM; + if (flags & ~UFFD_SHARED_FCNTL_FLAGS) return -EINVAL;