From patchwork Mon Aug 8 17:56:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12938952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 186A0C00140 for ; Mon, 8 Aug 2022 17:56:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A51EB6B0072; Mon, 8 Aug 2022 13:56:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A01A48E0002; Mon, 8 Aug 2022 13:56:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8A2DB8E0001; Mon, 8 Aug 2022 13:56:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 7BDFA6B0072 for ; Mon, 8 Aug 2022 13:56:22 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 4FEB71A0759 for ; Mon, 8 Aug 2022 17:56:22 +0000 (UTC) X-FDA: 79777179804.27.6C26A67 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf25.hostedemail.com (Postfix) with ESMTP id ABDE4A0167 for ; Mon, 8 Aug 2022 17:56:21 +0000 (UTC) Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-31f5d66fcdeso83840657b3.21 for ; Mon, 08 Aug 2022 10:56:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc; bh=Cc9MnKZgg+ibpM+8ko+H6oPbsb5pSszzVfc8aWAiJho=; b=CuZZbvD5Zahb/IdAJlGMq6TjrBJztj0YEMjFy1GDqtnvIuRgcS3v68E3duGOAKy9ZI G8RZ8aO4qjpoPamGGTX/yXwZtJYZA9tE2+zu1lpZzgJxyGqaROdcTNy6KDYH/gn8GlBl OK9P5YQmRNSF8mnTNiXxrL6tZMZBYYI43OYaNzyUfaJ8SbRAZ1NY5BdMWxwJQ8KOXh7g vLGH9Rt8pKH/LbwuCSLIvldly2jpYP8B1ol4S0ku18YHUYKAvixREO0RHydd6liWSMOF nO8BjEvRkW65PhcVRIInf5oIayFp0HeIrIGy890JIh4JKojBBx6cUnqO6hlVkr6N5mlG +v1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc; bh=Cc9MnKZgg+ibpM+8ko+H6oPbsb5pSszzVfc8aWAiJho=; b=aruoATGUYcsFOy+y2jKEtc3yaQapN6jGApBIGDZs94S978H8ku2AjxJtywFYuimKgW aFg3n1oEqyaE6j2xslvmbgEIrQaubJJVbkE1J9teWXoCG6uFzOVKZ5wA4cZebBNwExzI nxrGqBUuzX+WzSSgmWnt1TLLzA7//khbj+C9g8XBHCl6Lh6p0NyEc0XV6g1tJjhBquOQ K4d3xOu1KTyO7UT6+iFrlRh0K7jTKoKayvjsrB4SwPzrfa+WkdarwFIqtCsy0NQu75Ga b6OymGqe0T3QgBKxEztZwabN5dBshOo8hg7N46CN3uxiyls7Zh8lzoCdvHoT0SNfIaI7 qVJg== X-Gm-Message-State: ACgBeo3eo1wPzE24/5PfbCVaiEDfWul4pI7Nj4hrWpXX/n6NlkYXLFPI PcAygKBh1WYsOXLUdT6SXmj7/yCn0wULlyGi/N5p X-Google-Smtp-Source: AA6agR5ZeAOTjT1MgizrsRrqipaGPwGw1lTbPlW+A4euRXqJ+TiAsxPXTDq8OQCto6H+3SZ+teGzadIyEt2uvg0SCG6F X-Received: from ajr0.svl.corp.google.com ([2620:15c:2d4:203:7a2a:3bb5:f3a0:3bbc]) (user=axelrasmussen job=sendgmr) by 2002:a81:5946:0:b0:31f:4ec0:17af with SMTP id n67-20020a815946000000b0031f4ec017afmr19660191ywb.217.1659981380782; Mon, 08 Aug 2022 10:56:20 -0700 (PDT) Date: Mon, 8 Aug 2022 10:56:09 -0700 Message-Id: <20220808175614.3885028-1-axelrasmussen@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v5 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control From: Axel Rasmussen To: Alexander Viro , Andrew Morton , Dave Hansen , "Dmitry V . Levin" , Gleb Fotengauer-Malinovskiy , Hugh Dickins , Jan Kara , Jonathan Corbet , Mel Gorman , Mike Kravetz , Mike Rapoport , Nadav Amit , Peter Xu , Shuah Khan , Suren Baghdasaryan , Vlastimil Babka , zhangyi Cc: Axel Rasmussen , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659981382; a=rsa-sha256; cv=none; b=C4nE44gJA+6wfhX2qG364vBG5zQH2MOdfsWLPSAmaiyubamoBMOOVOrbo64ygTJvocsQ5A 89jint+23bqj0p/CIj8nFLoYB0uiSYO6DGClZA2Z2lHgxglmaWhaTPeHkQ0Q2TMymKwT/8 lqqc6J4I5PxbGoPezxQLeZjX+f4h2SY= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=CuZZbvD5; spf=pass (imf25.hostedemail.com: domain of 3RE7xYg0KCMMj6nu0j1v311nwpxxpun.lxvurw36-vvt4jlt.x0p@flex--axelrasmussen.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3RE7xYg0KCMMj6nu0j1v311nwpxxpun.lxvurw36-vvt4jlt.x0p@flex--axelrasmussen.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1659981382; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Cc9MnKZgg+ibpM+8ko+H6oPbsb5pSszzVfc8aWAiJho=; b=iqwRqbUvS85iGT7zQTFUuSfOcN8u8fzAlG9UIGOI9a602OO+58yzWSKUtAT732m6tk8VPk TO8elAqnJCuGBBFA+rzQk5WdsjN7g5CGK0FHaPsOvPPgYt8WvXywaTYf0Ylh9COIlZONt0 gVk80u+Q8mo0COvKeLruwYonu/n045g= X-Rspamd-Queue-Id: ABDE4A0167 Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=CuZZbvD5; spf=pass (imf25.hostedemail.com: domain of 3RE7xYg0KCMMj6nu0j1v311nwpxxpun.lxvurw36-vvt4jlt.x0p@flex--axelrasmussen.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3RE7xYg0KCMMj6nu0j1v311nwpxxpun.lxvurw36-vvt4jlt.x0p@flex--axelrasmussen.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: mhao4xxo3o1rifk89jish53dt4py9uh4 X-HE-Tag: 1659981381-81927 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-1-axelrasmussen@google.com/ [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler-ca.com/T/ Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 73 +++++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 69 +++++++++++++++--- 6 files changed, 172 insertions(+), 33 deletions(-) --- 2.37.1.559.g78731f0fdb-goog