Re: [PATCH v2 0/6] Harden userfaultfd
From: Casey Schaufler
Date: Tue Feb 11 2020 - 18:13:48 EST
On 2/11/2020 2:55 PM, Daniel Colascione wrote:
> Userfaultfd in unprivileged contexts could be potentially very
> useful. We'd like to harden userfaultfd to make such unprivileged use
> less risky. This patch series allows SELinux to manage userfaultfd
> file descriptors and allows administrators to limit userfaultfd to
> servicing user-mode faults, increasing the difficulty of using
> userfaultfd in exploit chains invoking delaying kernel faults.
>
> A new anon_inodes interface allows callers to opt into SELinux
> management of anonymous file objects. In this mode, anon_inodes
> creates new ephemeral inodes for anonymous file objects instead of
> reusing a singleton dummy inode. A new LSM hook gives security modules
> an opportunity to configure and veto these ephemeral inodes.
>
> Existing anon_inodes users must opt into the new functionality.
>
> Daniel Colascione (6):
> Add a new flags-accepting interface for anonymous inodes
> Add a concept of a "secure" anonymous file
> Teach SELinux about a new userfaultfd class
> Wire UFFD up to SELinux
> Let userfaultfd opt out of handling kernel-mode faults
> Add a new sysctl for limiting userfaultfd to user mode faults
This must be posted to the linux Security Module list
<linux-security-module@xxxxxxxxxxxxxxx>
>
> Documentation/admin-guide/sysctl/vm.rst | 13 ++++
> fs/anon_inodes.c | 89 +++++++++++++++++--------
> fs/userfaultfd.c | 29 ++++++--
> include/linux/anon_inodes.h | 27 ++++++--
> include/linux/lsm_hooks.h | 8 +++
> include/linux/security.h | 2 +
> include/linux/userfaultfd_k.h | 3 +
> include/uapi/linux/userfaultfd.h | 9 +++
> kernel/sysctl.c | 9 +++
> security/security.c | 8 +++
> security/selinux/hooks.c | 68 +++++++++++++++++++
> security/selinux/include/classmap.h | 2 +
> 12 files changed, 229 insertions(+), 38 deletions(-)
>