From patchwork Tue Apr 12 20:29:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12811237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30ECEC433F5 for ; Tue, 12 Apr 2022 20:29:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 89B7F6B0072; Tue, 12 Apr 2022 16:29:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 849BA6B0073; Tue, 12 Apr 2022 16:29:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6E9806B007D; Tue, 12 Apr 2022 16:29:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id 5F4006B0072 for ; Tue, 12 Apr 2022 16:29:50 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 2D8E0142C for ; Tue, 12 Apr 2022 20:29:50 +0000 (UTC) X-FDA: 79349368140.16.5BF1125 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) by imf19.hostedemail.com (Postfix) with ESMTP id 9FF501A000A for ; Tue, 12 Apr 2022 20:29:49 +0000 (UTC) Received: by mail-yb1-f201.google.com with SMTP id b11-20020a5b008b000000b00624ea481d55so17890ybp.19 for ; Tue, 12 Apr 2022 13:29:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=WxuM56vp7eyey8vt1AZa+KldYkNrgkjPuC+4UbMDXgc=; b=rIM9EOW8GOu9cyGO8TXJ6h03VJygSCKXO8crDJqnskQH89h0ZkNfJ9QcigR3yBGwJg qIZIakU+ukGgbzbtBtrcJRatlgtr2WsuT1uhRYMkDZoB5wk0eninAo43ymkRPOkirNrq /816AqwD33qIzqfBV4wacqsGUAdSBGLoiJdn++k8j9aJAvNiMRne7dHD0R17EQukclon jCkxn4wbNTcNTRMRaVaA+0YjqUxB72PaFAAjiPWKXOSO3MiH1+AQx3jMXyfiGcttDc6b hy8JW5fCyciu4xUl/9HYYP0ybCeWnGKSjYBNlj56ErlhIeelassl5VxG2u3/aJIXAJ0J q/Ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=WxuM56vp7eyey8vt1AZa+KldYkNrgkjPuC+4UbMDXgc=; b=HJaNS7cNMnbg4fJqP9Slw97OWIytyn73mkosnwd7CHNHYEE5vU2+jkul4JGoeEVpV4 8Q9bGCMH8pNiE6uXCMi3zZPy/Ej9OJyq67+0Vh/jcDurHBoRxkWoQrKG2XdB4D8jIMtL /e3McMQJSGnWj2vJkI03Ll6hNl6sCSJyz9DUezy/VeR1fhWiZ1dHBghQ19Is/B9O3KE0 7FcT6UbdqjyORna+1GdEDiYYfs1hfVXRMSKr739enG5Aq22GRENqzlBIbvDODWf0qRuM GyGk0J3kvW7pGfVRTSD7Bckp6cy8qSt0+i80leYMjiEUH8qUOorYKNk+6uBlpe0WS6XJ A3Rw== X-Gm-Message-State: AOAM5330HrE9pLsoMKPntSUegFalKu6QfRI4sSBKwSFfqTs+GHhPSrWq toPNcpL4qV+XDdeFgd3OMUJECVHJ+Q7tuKnoBo4F X-Google-Smtp-Source: ABdhPJwN1rKyVp/tc0fMg/HjGUO+kQyygAHoYo6COvoV6GzliqlsiWADXi0U2ptDq7ByWupmrnrJxjn86JmOaUcWFqlS X-Received: from ajr0.svl.corp.google.com ([2620:15c:2cd:203:8927:f9ed:8b14:ddae]) (user=axelrasmussen job=sendgmr) by 2002:a25:9391:0:b0:641:3842:c5c4 with SMTP id a17-20020a259391000000b006413842c5c4mr11278242ybm.323.1649795388862; Tue, 12 Apr 2022 13:29:48 -0700 (PDT) Date: Tue, 12 Apr 2022 13:29:41 -0700 Message-Id: <20220412202942.386981-1-axelrasmussen@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH 1/2] userfaultfd: add /dev/userfaultfd for fine grained access control From: Axel Rasmussen To: Alexander Viro , Andrew Morton , "Dmitry V . Levin" , Gleb Fotengauer-Malinovskiy , Mike Kravetz , Nadav Amit , Peter Xu , Shuah Khan Cc: Axel Rasmussen , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org X-Stat-Signature: 3aaxaq5b9f3jz549jfwzk1firpk4yddi Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=rIM9EOW8; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf19.hostedemail.com: domain of 3POFVYg0KCG8NkRYeNfZhffRaTbbTYR.PbZYVahk-ZZXiNPX.beT@flex--axelrasmussen.bounces.google.com designates 209.85.219.201 as permitted sender) smtp.mailfrom=3POFVYg0KCG8NkRYeNfZhffRaTbbTYR.PbZYVahk-ZZXiNPX.beT@flex--axelrasmussen.bounces.google.com X-Rspam-User: X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: 9FF501A000A X-HE-Tag: 1649795389-966657 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Historically, it has been shown that intercepting kernel faults with userfaultfd (thereby forcing the kernel to wait for an arbitrary amount of time) can be exploited, or at least can make some kinds of exploits easier. So, in 37cd0575b8 "userfaultfd: add UFFD_USER_MODE_ONLY" we changed things so, in order for kernel faults to be handled by userfaultfd, either the process needs CAP_SYS_PTRACE, or this sysctl must be configured so that any unprivileged user can do it. In a typical implementation of a hypervisor with live migration (take QEMU/KVM as one such example), we do indeed need to be able to handle kernel faults. But, both options above are less than ideal: - Toggling the sysctl increases attack surface by allowing any unprivileged user to do it. - Granting the live migration process CAP_SYS_PTRACE gives it this ability, but *also* the ability to "observe and control the execution of another process [...], and examine and change [its] memory and registers" (from ptrace(2)). This isn't something we need or want to be able to do, so granting this permission violates the "principle of least privilege". This is all a long winded way to say: we want a more fine-grained way to grant access to userfaultfd, without granting other additional permissions at the same time. To achieve this, add a /dev/userfaultfd misc device. This device provides an alternative to the userfaultfd(2) syscall for the creation of new userfaultfds. The idea is, any userfaultfds created this way will be able to handle kernel faults, without the caller having any special capabilities. Access to this mechanism is instead restricted using e.g. standard filesystem permissions. Signed-off-by: Axel Rasmussen --- fs/userfaultfd.c | 79 ++++++++++++++++++++++++++------ include/uapi/linux/userfaultfd.h | 4 ++ 2 files changed, 69 insertions(+), 14 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index aa0c47cb0d16..16d7573ab41a 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -29,6 +29,7 @@ #include #include #include +#include int sysctl_unprivileged_userfaultfd __read_mostly; @@ -65,6 +66,8 @@ struct userfaultfd_ctx { unsigned int flags; /* features requested from the userspace */ unsigned int features; + /* whether or not to handle kernel faults */ + bool handle_kernel_faults; /* released */ bool released; /* memory mappings are changing because of non-cooperative event */ @@ -410,13 +413,8 @@ vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason) if (ctx->features & UFFD_FEATURE_SIGBUS) goto out; - if ((vmf->flags & FAULT_FLAG_USER) == 0 && - ctx->flags & UFFD_USER_MODE_ONLY) { - printk_once(KERN_WARNING "uffd: Set unprivileged_userfaultfd " - "sysctl knob to 1 if kernel faults must be handled " - "without obtaining CAP_SYS_PTRACE capability\n"); + if (!(vmf->flags & FAULT_FLAG_USER) && !ctx->handle_kernel_faults) goto out; - } /* * If it's already released don't get it. This avoids to loop @@ -2064,19 +2062,33 @@ static void init_once_userfaultfd_ctx(void *mem) seqcount_spinlock_init(&ctx->refile_seq, &ctx->fault_pending_wqh.lock); } -SYSCALL_DEFINE1(userfaultfd, int, flags) +static inline bool userfaultfd_allowed(bool is_syscall, int flags) +{ + bool kernel_faults = !(flags & UFFD_USER_MODE_ONLY); + bool allow_unprivileged = sysctl_unprivileged_userfaultfd; + + /* userfaultfd(2) access is controlled by sysctl + capability. */ + if (is_syscall && kernel_faults) { + if (!allow_unprivileged && !capable(CAP_SYS_PTRACE)) + return false; + } + + /* + * For /dev/userfaultfd, access is to be controlled using e.g. + * permissions on the device node. We assume this is correctly + * configured by userspace, so we simply allow access here. + */ + + return true; +} + +static int new_userfaultfd(bool is_syscall, int flags) { struct userfaultfd_ctx *ctx; int fd; - if (!sysctl_unprivileged_userfaultfd && - (flags & UFFD_USER_MODE_ONLY) == 0 && - !capable(CAP_SYS_PTRACE)) { - printk_once(KERN_WARNING "uffd: Set unprivileged_userfaultfd " - "sysctl knob to 1 if kernel faults must be handled " - "without obtaining CAP_SYS_PTRACE capability\n"); + if (!userfaultfd_allowed(is_syscall, flags)) return -EPERM; - } BUG_ON(!current->mm); @@ -2095,6 +2107,11 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) refcount_set(&ctx->refcount, 1); ctx->flags = flags; ctx->features = 0; + /* + * If UFFD_USER_MODE_ONLY is not set, then userfaultfd_allowed() above + * decided that kernel faults were allowed and should be handled. + */ + ctx->handle_kernel_faults = !(flags & UFFD_USER_MODE_ONLY); ctx->released = false; atomic_set(&ctx->mmap_changing, 0); ctx->mm = current->mm; @@ -2110,8 +2127,42 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) return fd; } +SYSCALL_DEFINE1(userfaultfd, int, flags) +{ + return new_userfaultfd(true, flags); +} + +static int userfaultfd_dev_open(struct inode *inode, struct file *file) +{ + return 0; +} + +static long userfaultfd_dev_ioctl(struct file *file, unsigned int cmd, unsigned long flags) +{ + if (cmd != USERFAULTFD_IOC_NEW) + return -EINVAL; + + return new_userfaultfd(false, flags); +} + +static const struct file_operations userfaultfd_dev_fops = { + .open = userfaultfd_dev_open, + .unlocked_ioctl = userfaultfd_dev_ioctl, + .compat_ioctl = compat_ptr_ioctl, + .owner = THIS_MODULE, + .llseek = noop_llseek, +}; + +static struct miscdevice userfaultfd_misc = { + .minor = MISC_DYNAMIC_MINOR, + .name = "userfaultfd", + .fops = &userfaultfd_dev_fops +}; + static int __init userfaultfd_init(void) { + WARN_ON(misc_register(&userfaultfd_misc)); + userfaultfd_ctx_cachep = kmem_cache_create("userfaultfd_ctx_cache", sizeof(struct userfaultfd_ctx), 0, diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h index ef739054cb1c..032a35b3bbd2 100644 --- a/include/uapi/linux/userfaultfd.h +++ b/include/uapi/linux/userfaultfd.h @@ -12,6 +12,10 @@ #include +/* ioctls for /dev/userfaultfd */ +#define USERFAULTFD_IOC 0xAA +#define USERFAULTFD_IOC_NEW _IOWR(USERFAULTFD_IOC, 0x00, int) + /* * If the UFFDIO_API is upgraded someday, the UFFDIO_UNREGISTER and * UFFDIO_WAKE ioctls should be defined as _IOW and not as _IOR. In From patchwork Tue Apr 12 20:29:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12811238 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAB8BC433F5 for ; Tue, 12 Apr 2022 20:29:53 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6503B6B0073; Tue, 12 Apr 2022 16:29:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5D8A06B007D; Tue, 12 Apr 2022 16:29:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 479C76B007E; Tue, 12 Apr 2022 16:29:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id 378326B0073 for ; Tue, 12 Apr 2022 16:29:53 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 0569C24D2A for ; Tue, 12 Apr 2022 20:29:53 +0000 (UTC) X-FDA: 79349368266.13.59F1CB2 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf24.hostedemail.com (Postfix) with ESMTP id 886CD180008 for ; Tue, 12 Apr 2022 20:29:52 +0000 (UTC) Received: by mail-pj1-f74.google.com with SMTP id r12-20020a17090a690c00b001cb9bce2284so3707817pjj.8 for ; Tue, 12 Apr 2022 13:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=u+9yLdrvqv+15A9PShNP0Bj2lgMYcE44VCQG0+LZtrY=; b=mwfr+1QL20PQIeOZQZw4zuZEGgBuBUOGgqdqpg6THGQZKaFw5Wj8PV8H59rdqaaBLU 96DEcj2/yCle2oJspe3XQ+wvE7SynQC2qq8T45bjBHdWr775iHRDb1Awf9JLNlMzGg0Z g9Vavh5XkBcZCDWPUCYqQaA2bJ40hvxQocKz/LgmqNRswWSq0TrGjsidj6Uh160Cxgg9 Br/LGeUfE2qBk04WfS9pWdcxkZ6ZfhQUGAQUPaDVZVTwx2AivA1G7qb2eWdfFOoTI0KO 79/zwiYoOluzurGB1K8giL4K789L/VwUjzCmIrbzk2s/dgPratqPJ30cmLHHGCauiOdw Ag0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=u+9yLdrvqv+15A9PShNP0Bj2lgMYcE44VCQG0+LZtrY=; b=iPfTzNZWssON7nfXuE4sFyxFd3l/AOnvRt1kuQJxy1mN7WFa6ytnVpgKQTnyzbsvZa K82vDkL48PCR7XyA+996s40M6kgqpXQUl3VlwLSGDkHMfXXkpBP5AuMv0S7AY7YYzlJW 2oqmP3MpIk8CaC8nQbbWNK9NVNdlobnGZzKoFQeUQALwXT6WsFf6fTf18gIJHRBbffg0 Jz1t/fyDfWn62pM6QtR9+wZArGXZWcqCNfuWsaCsUsRmUy7hRnzFhY+/SBc2o4YdU00y 6zUhu96TenYbNjuiVIp0tRW5ajIUF3jy0NLg4bEUUGq6DLywLPBSbZVAxaNv5+5UU29C Qj2w== X-Gm-Message-State: AOAM531ul83UPw5Wc/YrmkfkNz5w1Dulz744ToKgpH0ncTV+1XkDyCRH qe9QojFnUTP85GdMg4QwtE225iC6ANfNi2IfP6TA X-Google-Smtp-Source: ABdhPJzT2Zt45zo3Wf9Ef/5d1NiGtDnKycptXlg/R76ipboiOT8KRuG6nigv1WkYm1tB4Mt/wit/6RMj+xbJNsBmESHI X-Received: from ajr0.svl.corp.google.com ([2620:15c:2cd:203:8927:f9ed:8b14:ddae]) (user=axelrasmussen job=sendgmr) by 2002:a17:90b:3c47:b0:1cb:8121:dcc8 with SMTP id pm7-20020a17090b3c4700b001cb8121dcc8mr6997487pjb.35.1649795391430; Tue, 12 Apr 2022 13:29:51 -0700 (PDT) Date: Tue, 12 Apr 2022 13:29:42 -0700 In-Reply-To: <20220412202942.386981-1-axelrasmussen@google.com> Message-Id: <20220412202942.386981-2-axelrasmussen@google.com> Mime-Version: 1.0 References: <20220412202942.386981-1-axelrasmussen@google.com> X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH 2/2] userfaultfd: selftests: modify selftest to use /dev/userfaultfd From: Axel Rasmussen To: Alexander Viro , Andrew Morton , "Dmitry V . Levin" , Gleb Fotengauer-Malinovskiy , Mike Kravetz , Nadav Amit , Peter Xu , Shuah Khan Cc: Axel Rasmussen , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 886CD180008 X-Stat-Signature: job8em3ezsixke7n9nsbgegbiwk5rkf3 X-Rspam-User: Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=mwfr+1QL; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf24.hostedemail.com: domain of 3P-FVYg0KCHIQnUbhQickiiUdWeeWbU.SecbYdkn-ccalQSa.ehW@flex--axelrasmussen.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3P-FVYg0KCHIQnUbhQickiiUdWeeWbU.SecbYdkn-ccalQSa.ehW@flex--axelrasmussen.bounces.google.com X-HE-Tag: 1649795392-950038 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000005, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Prefer this new interface, but if using it fails for any reason just fall back to using userfaultfd(2) as before. Signed-off-by: Axel Rasmussen --- tools/testing/selftests/vm/userfaultfd.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/vm/userfaultfd.c b/tools/testing/selftests/vm/userfaultfd.c index 92a4516f8f0d..a50c430f036c 100644 --- a/tools/testing/selftests/vm/userfaultfd.c +++ b/tools/testing/selftests/vm/userfaultfd.c @@ -383,13 +383,32 @@ static void assert_expected_ioctls_present(uint64_t mode, uint64_t ioctls) } } +static void __userfaultfd_open_dev(void) +{ + int fd; + + uffd = -1; + fd = open("/dev/userfaultfd", O_RDWR | O_CLOEXEC); + if (fd < 0) + return; + + uffd = ioctl(fd, USERFAULTFD_IOC_NEW, + O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + close(fd); +} + static void userfaultfd_open(uint64_t *features) { struct uffdio_api uffdio_api; - uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + __userfaultfd_open_dev(); + if (uffd < 0) { + printf("/dev/userfaultfd failed, fallback to userfaultfd(2)\n"); + uffd = syscall(__NR_userfaultfd, + O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + } if (uffd < 0) - err("userfaultfd syscall not available in this kernel"); + err("userfaultfd syscall failed"); uffd_flags = fcntl(uffd, F_GETFD, NULL); uffdio_api.api = UFFD_API;