Re: [PATCH 0/3] userfaultfd: allow to forbid unprivileged users
From: Paolo Bonzini
Date: Wed Mar 13 2019 - 04:22:47 EST
On 13/03/19 07:00, Peter Xu wrote:
>> However, I can imagine more special cases being added for other users. And,
>> once you have more than one special case then you may want to combine them.
>> For example, kvm and hugetlbfs together.
> It looks fine to me if we're using MMF_USERFAULTFD_ALLOW flag upon
> mm_struct, since that seems to be a very general flag that can be used
> by anything we want to grant privilege for, not only KVM?
Perhaps you can remove the fork() limitation, and add a new suboption to
prctl(PR_SET_MM) that sets/resets MMF_USERFAULTFD_ALLOW. If somebody
wants to forbid unprivileged userfaultfd and use KVM, they'll have to
use libvirt or some other privileged management tool.
We could also add support for this prctl to systemd, and then one could
do "systemd-run -pAllowUserfaultfd=yes COMMAND".
Paolo