userfaultfd/sysctl: add vm.unprivileged_userfaultfd

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Userfaultfd can be misued to make it easier to exploit existing
use-after-free (and similar) bugs that might otherwise only make a
short window or race condition available. By using userfaultfd to
stall a kernel thread, a malicious program can keep some state that it
wrote, stable for an extended period, which it can then access using an
existing exploit. While it doesn't cause the exploit itself, and while
it's not the only thing that can stall a kernel thread when accessing a
memory location, it's one of the few that never needs privilege.

We can add a flag, allowing userfaultfd to be restricted, so that in
general it won't be useable by arbitrary user programs, but in
environments that require userfaultfd it can be turned back on.

Add a global sysctl knob "vm.unprivileged_userfaultfd" to control
whether userfaultfd is allowed by unprivileged users. When this is
set to zero, only privileged users (root user, or users with the
CAP_SYS_PTRACE capability) will be able to use the userfaultfd
syscalls.

Andrea said:

: The only difference between the bpf sysctl and the userfaultfd sysctl
: this way is that the bpf sysctl adds the CAP_SYS_ADMIN capability
: requirement, while userfaultfd adds the CAP_SYS_PTRACE requirement,
: because the userfaultfd monitor is more likely to need CAP_SYS_PTRACE
: already if it's doing other kind of tracking on processes runtime, in
: addition of userfaultfd. In other words both syscalls works only for
: root, when the two sysctl are opt-in set to 1.

[dgilbert@redhat.com: changelog additions]
[akpm@linux-foundation.org: documentation tweak, per Mike]
Link: http://lkml.kernel.org/r/20190319030722.12441-2-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Suggested-by: Andrea Arcangeli <aarcange@redhat.com>
Suggested-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>
Cc: Maya Gokhale <gokhale2@llnl.gov>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Pavel Emelyanov <xemul@virtuozzo.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Martin Cracauer <cracauer@cons.org>
Cc: Denis Plotnikov <dplotnikov@virtuozzo.com>
Cc: Marty McFadden <mcfadden8@llnl.gov>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
Cc: "Dr . David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Peter Xu and committed by

Linus Torvalds 7 years ago cefdca0a f0fd5050

+31

4 changed files

expand all

Documentation

sysctl

vm.txt

userfaultfd.c

include

linux

userfaultfd_k.h

kernel

sysctl.c

+12

Documentation/sysctl/vm.txt

··· 61 61 - stat_refresh 62 62 - numa_stat 63 63 - swappiness 64 + - unprivileged_userfaultfd 64 65 - user_reserve_kbytes 65 66 - vfs_cache_pressure 66 67 - watermark_boost_factor ··· 816 815 than the high water mark in a zone. 817 816 818 817 The default value is 60. 818 + 819 + ============================================================== 820 + 821 + unprivileged_userfaultfd 822 + 823 + This flag controls whether unprivileged users can use the userfaultfd 824 + system calls. Set this to 1 to allow unprivileged users to use the 825 + userfaultfd system calls, or set this to 0 to restrict userfaultfd to only 826 + privileged users (with SYS_CAP_PTRACE capability). 827 + 828 + The default value is 1. 819 829 820 830 ============================================================== 821 831

fs/userfaultfd.c

··· 30 30 #include <linux/security.h> 31 31 #include <linux/hugetlb.h> 32 32 33 + int sysctl_unprivileged_userfaultfd __read_mostly = 1; 34 + 33 35 static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; 34 36 35 37 enum userfaultfd_state { ··· 1931 1929 { 1932 1930 struct userfaultfd_ctx *ctx; 1933 1931 int fd; 1932 + 1933 + if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE)) 1934 + return -EPERM; 1934 1935 1935 1936 BUG_ON(!current->mm); 1936 1937

include/linux/userfaultfd_k.h

··· 28 28 #define UFFD_SHARED_FCNTL_FLAGS (O_CLOEXEC | O_NONBLOCK) 29 29 #define UFFD_FLAGS_SET (EFD_SHARED_FCNTL_FLAGS) 30 30 31 + extern int sysctl_unprivileged_userfaultfd; 32 + 31 33 extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason); 32 34 33 35 extern ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,

+12

kernel/sysctl.c

··· 66 66 #include <linux/kexec.h> 67 67 #include <linux/bpf.h> 68 68 #include <linux/mount.h> 69 + #include <linux/userfaultfd_k.h> 69 70 70 71 #include "../lib/kstrtox.h" 71 72 ··· 1719 1718 .proc_handler = proc_dointvec_minmax, 1720 1719 .extra1 = (void *)&mmap_rnd_compat_bits_min, 1721 1720 .extra2 = (void *)&mmap_rnd_compat_bits_max, 1721 + }, 1722 + #endif 1723 + #ifdef CONFIG_USERFAULTFD 1724 + { 1725 + .procname = "unprivileged_userfaultfd", 1726 + .data = &sysctl_unprivileged_userfaultfd, 1727 + .maxlen = sizeof(sysctl_unprivileged_userfaultfd), 1728 + .mode = 0644, 1729 + .proc_handler = proc_dointvec_minmax, 1730 + .extra1 = &zero, 1731 + .extra2 = &one, 1722 1732 }, 1723 1733 #endif 1724 1734 { }