diff options
| author | Peter Xu <[email protected]> | 2019-05-13 17:16:41 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2019-05-14 09:47:45 -0700 |
| commit | cefdca0a86be517bc390fc4541e3674b8e7803b0 (patch) | |
| tree | f85716c23f5e1356c8e5213162489a04d40b06f9 /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | f0fd50504a54f5548eb666dc16ddf8394e44e4b7 (diff) | |
userfaultfd/sysctl: add vm.unprivileged_userfaultfd
Userfaultfd can be misued to make it easier to exploit existing
use-after-free (and similar) bugs that might otherwise only make a
short window or race condition available. By using userfaultfd to
stall a kernel thread, a malicious program can keep some state that it
wrote, stable for an extended period, which it can then access using an
existing exploit. While it doesn't cause the exploit itself, and while
it's not the only thing that can stall a kernel thread when accessing a
memory location, it's one of the few that never needs privilege.
We can add a flag, allowing userfaultfd to be restricted, so that in
general it won't be useable by arbitrary user programs, but in
environments that require userfaultfd it can be turned back on.
Add a global sysctl knob "vm.unprivileged_userfaultfd" to control
whether userfaultfd is allowed by unprivileged users. When this is
set to zero, only privileged users (root user, or users with the
CAP_SYS_PTRACE capability) will be able to use the userfaultfd
syscalls.
Andrea said:
: The only difference between the bpf sysctl and the userfaultfd sysctl
: this way is that the bpf sysctl adds the CAP_SYS_ADMIN capability
: requirement, while userfaultfd adds the CAP_SYS_PTRACE requirement,
: because the userfaultfd monitor is more likely to need CAP_SYS_PTRACE
: already if it's doing other kind of tracking on processes runtime, in
: addition of userfaultfd. In other words both syscalls works only for
: root, when the two sysctl are opt-in set to 1.
[[email protected]: changelog additions]
[[email protected]: documentation tweak, per Mike]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
Suggested-by: Andrea Arcangeli <[email protected]>
Suggested-by: Mike Rapoport <[email protected]>
Reviewed-by: Mike Rapoport <[email protected]>
Reviewed-by: Andrea Arcangeli <[email protected]>
Cc: Paolo Bonzini <[email protected]>
Cc: Hugh Dickins <[email protected]>
Cc: Luis Chamberlain <[email protected]>
Cc: Maxime Coquelin <[email protected]>
Cc: Maya Gokhale <[email protected]>
Cc: Jerome Glisse <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Johannes Weiner <[email protected]>
Cc: Martin Cracauer <[email protected]>
Cc: Denis Plotnikov <[email protected]>
Cc: Marty McFadden <[email protected]>
Cc: Mike Kravetz <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Mel Gorman <[email protected]>
Cc: "Kirill A . Shutemov" <[email protected]>
Cc: "Dr . David Alan Gilbert" <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')
0 files changed, 0 insertions, 0 deletions