Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users

From: Alexei Starovoitov
Date: Thu Mar 14 2019 - 11:23:31 EST

Next message: Willem de Bruijn: "Re: [RFC PATCH net] packets: Always register packet sk in the same order"
Previous message: Oleksandr Andrushchenko: "Re: [Xen-devel][PATCH] xen/netfront: Remove unneeded .resume callback"
In reply to: Paolo Bonzini: "Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users"
Next in thread: Paolo Bonzini: "Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 14, 2019 at 4:00 AM Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote:
>
> On 14/03/19 00:44, Andrea Arcangeli wrote:
> > Then I thought we can add a tristate so an open of /dev/kvm would also
> > allow the syscall to make things more user friendly because
> > unprivileged containers ideally should have writable mounts done with
> > nodev and no matter the privilege they shouldn't ever get an hold on
> > the KVM driver (and those who do, like kubevirt, will then just work).
>
> I wouldn't even bother with the KVM special case. Containers can use
> seccomp if they want a fine-grained policy.
>
> (Actually I wouldn't bother with the knob at all; the attack surface of
> userfaultfd is infinitesimal compared to the BPF JIT...).

please name _one_ BPF JIT bug that affected unprivileged user space.

Next message: Willem de Bruijn: "Re: [RFC PATCH net] packets: Always register packet sk in the same order"
Previous message: Oleksandr Andrushchenko: "Re: [Xen-devel][PATCH] xen/netfront: Remove unneeded .resume callback"
In reply to: Paolo Bonzini: "Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users"
Next in thread: Paolo Bonzini: "Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]