From patchwork Mon Mar 11 09:36:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 10847125 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C211014DE for ; Mon, 11 Mar 2019 09:37:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A908028F79 for ; Mon, 11 Mar 2019 09:37:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9CD1B28FB6; Mon, 11 Mar 2019 09:37:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4E9C28F79 for ; Mon, 11 Mar 2019 09:37:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DB8668E000E; Mon, 11 Mar 2019 05:37:24 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id D682C8E0002; Mon, 11 Mar 2019 05:37:24 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C311F8E000E; Mon, 11 Mar 2019 05:37:24 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by kanga.kvack.org (Postfix) with ESMTP id 9510C8E0002 for ; Mon, 11 Mar 2019 05:37:24 -0400 (EDT) Received: by mail-qt1-f197.google.com with SMTP id n16so3872996qtp.14 for ; Mon, 11 Mar 2019 02:37:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=sw4yziM5HH4yKUiDjHU8TNYvF7G664O4vw4D9f9xkAM=; b=SrfsE0Sg1Q3a7XX3prHa+KUSsGNMedV4EDLjlKwxn4D3Aq9C2O0NL12WjrkU0Xjb/C NZ06uGtqawp4ORJjM2fAgGIYeQp0jN4Ob+08YlOdMdy+Umc5rNoC6beaF2srTRgOkS4M vx0RDZkVrsem9aATO0pNgVeJHylvtk48dHF2YsVVt64Z2lHVwBO7h/urQom8FgxGoVk/ aRekXC+plHM1/Zhsz3M0cKTZMpa3Z14P25VZKlMAJopspbSV4+V2ySCknMtmp8CN/fMx ycdNW/uoI4vUC8rNSTKu8RkdznURW5j+i1WCnavMCzywxBy6+XyaxpeBVIDOtysWrHX1 6BTw== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: APjAAAUPg+MwT7VLWDodpTMhlmPPYG9yr6EVkxXoai2kmw5L6+tRAzHQ NQvId4B7Da4lseONuWWuIiFIkofJ4VpZRD9Iiu1+jv0Niav6hHMVPY31tVXAaFmC81RyehKNY3U mCtbz8doxnh+2at4ylO1RR1oi4EscEVowK30BR3j/Z80Khq1zJFS3ranDewmIQFg2nw== X-Received: by 2002:ac8:3718:: with SMTP id o24mr24844932qtb.2.1552297044398; Mon, 11 Mar 2019 02:37:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqyKF0PawsTJH9Ij+tWg0I4np6kwqZ21x1VtydIsLsJd3xf1URBFRQD9uqcHiDXa16CmtslN X-Received: by 2002:ac8:3718:: with SMTP id o24mr24844909qtb.2.1552297043529; Mon, 11 Mar 2019 02:37:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552297043; cv=none; d=google.com; s=arc-20160816; b=TPZLsA1AnAJsQ7ZGimyzyvfHX27dtLX0EvB2oN+ag492IciREoIJU77ZZsfX82BnCU t9nB56SG69dTdhK1Y1FYMt8T7Wzs3m6uqb6Ach4OzsnYOzJl/8P/XzZWGp5t/phlQz2/ kLI6IUjr3MmCTDqy0kzoyiZ00uBKoikh18SB/8X6nhj3jEArihvd/jUTfzuLAKHXxCqH R2BhNAAJcXmDtYizNEyIHa9On0utKNDNpgE6jKwBvA6r4z2PSaegPloo5w8Cb/XJ1bjR JG/zwblPY9lH4JzwT0wXXED684ArcRdOx3sRRGuiTzFkWTrfuSHgq0HYzmb9vclaSj8Y gs5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=sw4yziM5HH4yKUiDjHU8TNYvF7G664O4vw4D9f9xkAM=; b=A3Q2R2YOaWn14EOhBa7JMRNQ1nILvmn19iR8X3HSqfKM0ftrqAZNRRFKLN08HL5p6K rqcg9YuOlLkiFEGMge6QdfR2L4i/GKuJIj6GU3JO4cipErEKqfpgALHxEgkH4XZr2bEp tefcnzNYLS9COkvbclwYAh7XAe/yIZHZasgOlN/Mop7xqL9UaB6nq3aEIbzBKEZ0r+L+ SBTb6NamEnkL6W7bkaG+2G4mXYMFrZM05siRRt7d9jIqiiZFAKyT4EF5r/22cAwo1nL9 XA7MykEg8lRhu5cm91Oz4XqRSqcrFPHxmlDH1FhYuMqsAmRcCL4GtBNzGjr1CIfHCBy2 iR4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id m12si1132440qkl.250.2019.03.11.02.37.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 02:37:23 -0700 (PDT) Received-SPF: pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 71CFD30821E2; Mon, 11 Mar 2019 09:37:22 +0000 (UTC) Received: from xz-x1.nay.redhat.com (dhcp-14-116.nay.redhat.com [10.66.14.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id 595225D706; Mon, 11 Mar 2019 09:37:15 +0000 (UTC) From: Peter Xu To: linux-kernel@vger.kernel.org Cc: Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , kvm@vger.kernel.org, Jerome Glisse , Pavel Emelyanov , Johannes Weiner , peterx@redhat.com, Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Maya Gokhale , Mike Kravetz , Andrea Arcangeli , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-fsdevel@vger.kernel.org, "Dr . David Alan Gilbert" , Andrew Morton Subject: [PATCH 1/3] userfaultfd/sysctl: introduce unprivileged_userfaultfd Date: Mon, 11 Mar 2019 17:36:59 +0800 Message-Id: <20190311093701.15734-2-peterx@redhat.com> In-Reply-To: <20190311093701.15734-1-peterx@redhat.com> References: <20190311093701.15734-1-peterx@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Mon, 11 Mar 2019 09:37:22 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Introduce a new sysctl called "vm.unprivileged_userfaultfd" that can be used to decide whether userfaultfd syscalls are allowed by unprivileged users. It'll allow three modes: - disabled: disallow unprivileged users to use uffd - enabled: allow unprivileged users to use uffd - kvm: allow unprivileged users to use uffd only if the user had enough permission to open /dev/kvm (this option only exists if the kernel turned on KVM). This patch only introduce the new interface but not yet applied it to the userfaultfd syscalls, which will be done in the follow up patch. Signed-off-by: Peter Xu --- fs/userfaultfd.c | 96 +++++++++++++++++++++++++++++++++++ include/linux/userfaultfd_k.h | 5 ++ init/Kconfig | 11 ++++ kernel/sysctl.c | 11 ++++ 4 files changed, 123 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 89800fc7dc9d..c2188464555a 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -29,6 +29,8 @@ #include #include #include +#include +#include static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; @@ -93,6 +95,95 @@ struct userfaultfd_wake_range { unsigned long len; }; +enum unprivileged_userfaultfd { + /* Disallow unprivileged users to use userfaultfd syscalls */ + UFFD_UNPRIV_DISABLED = 0, + /* Allow unprivileged users to use userfaultfd syscalls */ + UFFD_UNPRIV_ENABLED, +#if IS_ENABLED(CONFIG_KVM) + /* + * Allow unprivileged users to use userfaultfd syscalls only + * if the user had enough permission to open /dev/kvm + */ + UFFD_UNPRIV_KVM, +#endif + UFFD_UNPRIV_NUM, +}; + +static int unprivileged_userfaultfd __read_mostly; +static const char *unprivileged_userfaultfd_str[UFFD_UNPRIV_NUM] = { + "disabled", "enabled", +#if IS_ENABLED(CONFIG_KVM) + "kvm", +#endif +}; + +static int unprivileged_uffd_parse(char *buf, size_t size) +{ + int i; + + for (i = 0; i < UFFD_UNPRIV_NUM; i++) { + if (!strncmp(unprivileged_userfaultfd_str[i], buf, size)) { + unprivileged_userfaultfd = i; + return 0; + } + } + + return -EFAULT; +} + +static void unprivileged_uffd_dump(char *buf, size_t size) +{ + int i; + + *buf = 0x00; + for (i = 0; i < UFFD_UNPRIV_NUM; i++) { + if (i == unprivileged_userfaultfd) + strncat(buf, "[", size - strlen(buf)); + strncat(buf, unprivileged_userfaultfd_str[i], + size - strlen(buf)); + if (i == unprivileged_userfaultfd) + strncat(buf, "]", size - strlen(buf)); + strncat(buf, " ", size - strlen(buf)); + } + +} + +int proc_unprivileged_userfaultfd(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos) +{ + struct ctl_table tmp_table = { .maxlen = 0 }; + int ret; + + if (write) { + tmp_table.maxlen = UFFD_UNPRIV_STRLEN; + tmp_table.data = kmalloc(UFFD_UNPRIV_STRLEN, GFP_KERNEL); + + ret = proc_dostring(&tmp_table, write, buffer, lenp, ppos); + if (ret) + goto out; + + ret = unprivileged_uffd_parse(tmp_table.data, + UFFD_UNPRIV_STRLEN); + } else { + /* Leave space for "[]" */ + int len = UFFD_UNPRIV_STRLEN * UFFD_UNPRIV_NUM + 2; + + tmp_table.maxlen = len; + tmp_table.data = kmalloc(len, GFP_KERNEL); + + unprivileged_uffd_dump(tmp_table.data, len); + + ret = proc_dostring(&tmp_table, write, buffer, lenp, ppos); + } + +out: + if (tmp_table.data) + kfree(tmp_table.data); + return ret; +} + static int userfaultfd_wake_function(wait_queue_entry_t *wq, unsigned mode, int wake_flags, void *key) { @@ -1955,6 +2046,11 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) static int __init userfaultfd_init(void) { + char unpriv_uffd[UFFD_UNPRIV_STRLEN] = + CONFIG_USERFAULTFD_UNPRIVILEGED_DEFAULT; + + unprivileged_uffd_parse(unpriv_uffd, sizeof(unpriv_uffd)); + userfaultfd_ctx_cachep = kmem_cache_create("userfaultfd_ctx_cache", sizeof(struct userfaultfd_ctx), 0, diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h index 37c9eba75c98..f53bc02ccffc 100644 --- a/include/linux/userfaultfd_k.h +++ b/include/linux/userfaultfd_k.h @@ -28,6 +28,11 @@ #define UFFD_SHARED_FCNTL_FLAGS (O_CLOEXEC | O_NONBLOCK) #define UFFD_FLAGS_SET (EFD_SHARED_FCNTL_FLAGS) +#define UFFD_UNPRIV_STRLEN 16 +int proc_unprivileged_userfaultfd(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos); + extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason); extern ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start, diff --git a/init/Kconfig b/init/Kconfig index c9386a365eea..d90caa4fed17 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1512,6 +1512,17 @@ config USERFAULTFD Enable the userfaultfd() system call that allows to intercept and handle page faults in userland. +config USERFAULTFD_UNPRIVILEGED_DEFAULT + string "Default behavior for unprivileged userfault syscalls" + depends on USERFAULTFD + default "disabled" + help + Set this to "enabled" to allow userfaultfd syscalls from + unprivileged users. Set this to "disabled" to forbid + userfaultfd syscalls from unprivileged users. Set this to + "kvm" to forbid unpriviledged users but still allow users + who had enough permission to open /dev/kvm. + config ARCH_HAS_MEMBARRIER_CALLBACKS bool diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 7578e21a711b..5dc9f3d283dd 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -96,6 +96,9 @@ #ifdef CONFIG_LOCKUP_DETECTOR #include #endif +#ifdef CONFIG_USERFAULTFD +#include +#endif #if defined(CONFIG_SYSCTL) @@ -1704,6 +1707,14 @@ static struct ctl_table vm_table[] = { .extra1 = (void *)&mmap_rnd_compat_bits_min, .extra2 = (void *)&mmap_rnd_compat_bits_max, }, +#endif +#ifdef CONFIG_USERFAULTFD + { + .procname = "unprivileged_userfaultfd", + .maxlen = UFFD_UNPRIV_STRLEN, + .mode = 0644, + .proc_handler = proc_unprivileged_userfaultfd, + }, #endif { } }; From patchwork Mon Mar 11 09:37:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 10847131 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3617C1823 for ; Mon, 11 Mar 2019 09:37:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 21FE828FB5 for ; Mon, 11 Mar 2019 09:37:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1601A28FD2; Mon, 11 Mar 2019 09:37:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9895228FB5 for ; Mon, 11 Mar 2019 09:37:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C33F28E000F; Mon, 11 Mar 2019 05:37:36 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id BE1BD8E0002; Mon, 11 Mar 2019 05:37:36 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A84388E000F; Mon, 11 Mar 2019 05:37:36 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by kanga.kvack.org (Postfix) with ESMTP id 8363B8E0002 for ; Mon, 11 Mar 2019 05:37:36 -0400 (EDT) Received: by mail-qk1-f197.google.com with SMTP id r9so4031646qkl.4 for ; Mon, 11 Mar 2019 02:37:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=s3q6ORQAbgpYgrufMEFyMW+lw2VCVXcyiiCRY7039hg=; b=pE6knGaP34kXJHftsYlqpfLJZl52TXe8xpypMXt93vvS+wu4tDMcYZhV7eW8DddCUo I88t3UWin4DWJs1kyKuUiTo2uSbIQC/qmr+i6nu6CTtsq+63UqW8QCTikSvCJoVyilPL x2JUuFFlWuiWWvkQuJkKclgbP35OOGX1ZlSrW+69WggVZc4yKHzAAVzMuzRdqVwpI/xH ZidTvLtFtDl35A0uzrIrQd+5Qmw1XJfQ3WOO0v4UV2374wofXZQ+E0mn9T/0DpD3HI7z zdJWGCW61SpYbB2POn567cEHJjTBM+m6+y4pB4B98+hioUp4cMk4LzatpL8ILW9vPKHC WMEg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: APjAAAUDaveK3M20eS6RAxNU5RzFudPBOnQht7CNwF8AUbZdsg26KcBV tLE3E+ucj3lxy4R7QdhYJEAuabCPvt8V4nK0d/h2WRLnYSzP2u8NsRRPEZfzeLBtvez+jN9m/LN iPR2LUCQyHHLGRjeVZVX2jnqkuenc3Wg+ur3NJ+sQEH/PzV/V4+4O8x1/AMRYtjgtJA== X-Received: by 2002:ac8:3802:: with SMTP id q2mr24313606qtb.325.1552297056334; Mon, 11 Mar 2019 02:37:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqztyYHCX4apmZ+jyhAkjc2VD97vlPO/63AEG6OZwGsbFby0iQ/ENx6DUFkBdmCt8sCCUf5C X-Received: by 2002:ac8:3802:: with SMTP id q2mr24313556qtb.325.1552297055091; Mon, 11 Mar 2019 02:37:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552297055; cv=none; d=google.com; s=arc-20160816; b=lrBixZjxBRCDJW+qjyeUm0j7XU0YGWxxzoCaLZ2JWAEwX1cMCERywFYEC5KA2LjE7H +9zam+CqJYpYALhBei5t3cp5DBIoMLVW/t/fcaDXSb9Axe1Hhj9gwyMZ25+ppQOSFZ6n AKlla8/ry2IyYJ/yMO3yguvYMLalnHoTzh/Bem696/kDPOjN2n/1DA5OjhDccU/xGD7B 5qR22C5IK7aamFGhSVx9A1eowG2Jo2R/FvBQHWTB9Ub/vm42NNRTAJJbSu9LEyJDwuNS M7addhsulV5YDtPzzflGQLRY3m/vmad5PSePVSaBwNDEcVgpSVFqd+4q79+/Xx5Z6l+U UZVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=s3q6ORQAbgpYgrufMEFyMW+lw2VCVXcyiiCRY7039hg=; b=wNAj3fbvY7xjR6bx0HsDGlnn9F6Z8h82U4BvAImC4YOdR0ICMFMWJe5ndGy8y9ELqQ X/TfFXC91xqoWiNRp3wAGbWbnBCEQGB1IDuHsmzBM45IKpe2RbB3j/byzHjhVeEq8Hjs Ro+4NsCrMFaOkpe1hD9BBEx4hezHAJOC9MS4NxLHLbHznsCV+Ukzsj3nBMszYq2wo0jL LBTASVgiR9ECWub0y5JGZ11UqRuB9Jbyz3GnPNj42vVOfH1DdfDsQB8nVIsUltzTINQq 5WmKWJw8hBclnOEJgrpGLpaz3ne20n6acUhjdEQfRVbzT5pNjbDwDJORQsjEhUtFEsOt hR1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id x60si102818qte.315.2019.03.11.02.37.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 02:37:35 -0700 (PDT) Received-SPF: pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 399093086265; Mon, 11 Mar 2019 09:37:34 +0000 (UTC) Received: from xz-x1.nay.redhat.com (dhcp-14-116.nay.redhat.com [10.66.14.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id EAB725D705; Mon, 11 Mar 2019 09:37:22 +0000 (UTC) From: Peter Xu To: linux-kernel@vger.kernel.org Cc: Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , kvm@vger.kernel.org, Jerome Glisse , Pavel Emelyanov , Johannes Weiner , peterx@redhat.com, Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Maya Gokhale , Mike Kravetz , Andrea Arcangeli , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-fsdevel@vger.kernel.org, "Dr . David Alan Gilbert" , Andrew Morton Subject: [PATCH 2/3] kvm/mm: introduce MMF_USERFAULTFD_ALLOW flag Date: Mon, 11 Mar 2019 17:37:00 +0800 Message-Id: <20190311093701.15734-3-peterx@redhat.com> In-Reply-To: <20190311093701.15734-1-peterx@redhat.com> References: <20190311093701.15734-1-peterx@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Mon, 11 Mar 2019 09:37:34 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Introduce a new MMF_USERFAULTFD_ALLOW flag and tag it upon the process memory address space as long as the process opened the /dev/kvm once. It'll be dropped automatically when fork() by MMF_INIT_TASK to reset the userfaultfd permission. Detecting the flag gives us a chance to open the green light for kvm upon using userfaultfd when we want to make sure all the existing kvm users will still be able to run their userspace programs without being affected by the new unprivileged userfaultfd switch. Suggested-by: Andrea Arcangeli Signed-off-by: Peter Xu --- include/linux/sched/coredump.h | 1 + virt/kvm/kvm_main.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h index ecdc6542070f..9f6e71182892 100644 --- a/include/linux/sched/coredump.h +++ b/include/linux/sched/coredump.h @@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm) #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ #define MMF_OOM_VICTIM 25 /* mm is the oom victim */ #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */ +#define MMF_USERFAULTFD_ALLOW 27 /* allow userfaultfd syscall */ #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index d237d3350a99..079f6ac00c36 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3403,7 +3403,14 @@ static long kvm_dev_ioctl(struct file *filp, return r; } +static int kvm_dev_open(struct inode *inode, struct file *file) +{ + set_bit(MMF_USERFAULTFD_ALLOW, ¤t->mm->flags); + return 0; +} + static struct file_operations kvm_chardev_ops = { + .open = kvm_dev_open, .unlocked_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, KVM_COMPAT(kvm_dev_ioctl), From patchwork Mon Mar 11 09:37:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 10847133 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6869B14DE for ; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5439D28FBD for ; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 488A128FD4; Mon, 11 Mar 2019 09:37:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE3B528FBD for ; Mon, 11 Mar 2019 09:37:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 025788E0010; Mon, 11 Mar 2019 05:37:44 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id F160D8E0002; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E059D8E0010; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by kanga.kvack.org (Postfix) with ESMTP id BAA588E0002 for ; Mon, 11 Mar 2019 05:37:43 -0400 (EDT) Received: by mail-qt1-f198.google.com with SMTP id f15so900005qtk.16 for ; Mon, 11 Mar 2019 02:37:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=XR4pYl9tGrZmg1P3ZFPkJ/fJzo0KOPocn85f2y3YdsI=; b=bU/Af+I6rY7kAetcyUiom7sCu4mw0x2kRuXBy3vchHKWcAZjMhmJlPBwMxGc7wkaXb LAB9jFC7tTCfmqoQOYxFx28IPPfdtV8LEp39vTfj7kcw4GvVfkAdsSH6NjUOpqVB/k8f St3h6RAPMVF+9v1UtgvQyR+17cH2D2ptGVQiWWFUVMQ5dbP2cm5mUjHVqnC5CdbAz/6o noOsypmNwIuBZAYaFp5dtukv5VRM3/+qSd+pI1QgXWpW+YicT0P6mrqsvCxDhRKgw+GA O16tPVMf52pxunN6PdsqJNbVsSPIdQDD2ZJd8xgdLIPi+l7pKNHrqQwoEdDWTFiG0iBe m4Gg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: APjAAAU+uAwI3+rNFiy1aU9SGWW6U7/qO+zeSPBtCfk4SRU0ZAryD25o spiu/5QvQY0FsBwA4i8d/GBadgDxuP/OyjjnsTBeS5i6HGRmJvqunJiZ+C5Uj3eT1pdtBvCnD7R zLA1P7w06GTxpMc79+lo/wC75yuj7iKmuCTBKGffMjvXWC4WQv9EdmkJwL6mVLJ9ONA== X-Received: by 2002:a37:7e83:: with SMTP id z125mr15663075qkc.351.1552297063503; Mon, 11 Mar 2019 02:37:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzErwavpn/Vxz2Br4Fuy06JFXA/O8aHcufg5EN+e/yceLR/6pe6UvdKHaglG6oclbF9JJHK X-Received: by 2002:a37:7e83:: with SMTP id z125mr15663048qkc.351.1552297062512; Mon, 11 Mar 2019 02:37:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552297062; cv=none; d=google.com; s=arc-20160816; b=0nVbaLBsgpdJcWJEeSO7RG2Reev6LtUTiDBaqn10tu7xi1GCgeHEVUMlKyOFjJ2rIc Qr0xcsh8RMJSAdr6tSCux3W+1+LArkL6pGV3W/1YHGYx/Cx2Ds5naY/X+PlhgAKt0uE9 FouyCSExUBSRphDM+OaWuxmaGGecmlabKGQY5hccolrZbsLdyPQR3Lc06TY6UF3sxA6w u5xTGPcKzrmU5DrBdQTWiexubT3lPVFletCeOjVCEa0sNZbWF8WkCM7ql4LqzNr7TlVz 4fcKf47X+ZwH3qdUfq9OFVJBRFgvRjQEXbSirzYuBc8OnAnss6F6dSQcVuGg8x4Agxdr AELA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=XR4pYl9tGrZmg1P3ZFPkJ/fJzo0KOPocn85f2y3YdsI=; b=BwlST+cW+D32jbaTOTXo4h76OJ+E1+TXvsS2/HVEF/Hi/AYdv8t2ajIRfqIEk//lsi /IgeWUCVKS/DjmnEmBLawngdvv2In15JYd+oWd1rjYHF1c7PTPUgLy3XaxkerI4QRPi+ gQC75NcHjv64i6PKYm4o19Ed9WIWZKnsvQ0cEjEuBSPz27Z6axj3sX02t4kpd09kAssF aBKXPB8fDHnsk292GvUd0QRuzlcZABhjSeUkkuHIFyybfSq7CKxFaa3HXSmjxI98fJdP wbcrPyCMLgKFuGFb67h7zqSxljo/a6aoFriYzZQYckFvcdkuw0gASYqldzR0QXz6IX/O hAUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id u27si1041902qtk.279.2019.03.11.02.37.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 02:37:42 -0700 (PDT) Received-SPF: pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A7D2EC002965; Mon, 11 Mar 2019 09:37:41 +0000 (UTC) Received: from xz-x1.nay.redhat.com (dhcp-14-116.nay.redhat.com [10.66.14.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3B195D705; Mon, 11 Mar 2019 09:37:34 +0000 (UTC) From: Peter Xu To: linux-kernel@vger.kernel.org Cc: Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , kvm@vger.kernel.org, Jerome Glisse , Pavel Emelyanov , Johannes Weiner , peterx@redhat.com, Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Maya Gokhale , Mike Kravetz , Andrea Arcangeli , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-fsdevel@vger.kernel.org, "Dr . David Alan Gilbert" , Andrew Morton Subject: [PATCH 3/3] userfaultfd: apply unprivileged_userfaultfd check Date: Mon, 11 Mar 2019 17:37:01 +0800 Message-Id: <20190311093701.15734-4-peterx@redhat.com> In-Reply-To: <20190311093701.15734-1-peterx@redhat.com> References: <20190311093701.15734-1-peterx@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 11 Mar 2019 09:37:41 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Apply the unprivileged_userfaultfd check when doing userfaultfd syscall. We didn't check it in other paths of userfaultfd (e.g., the ioctl() path) because we don't want to drag down the fast path of userfaultfd, as suggested by Andrea. Suggested-by: Andrea Arcangeli Suggested-by: Mike Rapoport Signed-off-by: Peter Xu --- fs/userfaultfd.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index c2188464555a..effdcfc88629 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -951,6 +951,28 @@ void userfaultfd_unmap_complete(struct mm_struct *mm, struct list_head *uf) } } +/* Whether current process allows to use userfaultfd syscalls */ +static bool userfaultfd_allowed(void) +{ + bool allowed = false; + + switch (unprivileged_userfaultfd) { + case UFFD_UNPRIV_ENABLED: + allowed = true; + break; + case UFFD_UNPRIV_KVM: + allowed = !!test_bit(MMF_USERFAULTFD_ALLOW, + ¤t->mm->flags); + /* Fall through */ + case UFFD_UNPRIV_DISABLED: + allowed = allowed || ns_capable(current_user_ns(), + CAP_SYS_PTRACE); + break; + } + + return allowed; +} + static int userfaultfd_release(struct inode *inode, struct file *file) { struct userfaultfd_ctx *ctx = file->private_data; @@ -2018,6 +2040,9 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) BUILD_BUG_ON(UFFD_CLOEXEC != O_CLOEXEC); BUILD_BUG_ON(UFFD_NONBLOCK != O_NONBLOCK); + if (!userfaultfd_allowed()) + return -EPERM; + if (flags & ~UFFD_SHARED_FCNTL_FLAGS) return -EINVAL;