From patchwork Wed Aug 17 21:47:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12946520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15A4DC25B08 for ; Wed, 17 Aug 2022 21:47:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 734EC8D0001; Wed, 17 Aug 2022 17:47:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6E3806B0074; Wed, 17 Aug 2022 17:47:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5AC8E8D0001; Wed, 17 Aug 2022 17:47:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 498A76B0073 for ; Wed, 17 Aug 2022 17:47:34 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 0B98B1C6A9E for ; Wed, 17 Aug 2022 21:47:34 +0000 (UTC) X-FDA: 79810421586.29.6C49626 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) by imf13.hostedemail.com (Postfix) with ESMTP id A255E2015F for ; Wed, 17 Aug 2022 21:47:33 +0000 (UTC) Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-3360c0f0583so19683867b3.2 for ; Wed, 17 Aug 2022 14:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc; bh=ZccKepyy+mkkFUP/9kxuvptYUZUbOq684Zg6ooxPEl8=; b=oAdGHMBIBRjGZoLLA6VlX+94im86xq9mmys56n9di740YtF0BsvAgpxpdRGW7ioWJ9 efJ4cZQsGoUWRIkGaAOqaRiwkNNqOkVw1OKvOeFHQbrACOK52MhHZO3la1555gKKAt6q yzBKJj2rjhmFApIEejIm2MLfg+AxYxL4fHi6H4nfI4G8cz9U2Q7F5NT64EJuA3xiSmUQ izE2YWr3delvoaf5cw2raoNjAS43v6W550GMyLNT4tJgveQY+FV8shQdQg+x6AkbgUYz retvQtg8mO4CmiutKEyqBp6+JFE/pIyHLxykKY8G7w5n/QIKIuHSHSD28Cpx0Uu/lUD2 3H7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc; bh=ZccKepyy+mkkFUP/9kxuvptYUZUbOq684Zg6ooxPEl8=; b=iVemBtcrmU/Ud+wk+W+DXDbz/ili1xHn43wHLreW5lcWb/n6vvfFO5hSR1fo2GQqWg 0S0f6RLkwlJi/zMIa3EbErYQS/uLU6g2Ej4Jel7NdAr+H+2aEETEfR6hddC9WTRkz3Rz px4B3gl21EGV1311oOfU0OOb1H6MQQs+v8WEUoB+IfXZIoDhR+tnzyLW7BpCIpVS9WOl 3EWijcRKGBEg0HBTvDoANy3yRU/4GEPzYVciXLIckZUISJ/plO0K45S3FMUwRi7akYyV HWeKnIfD8nOW/5CxKqgJO9MKQnMl8ISoTr/JPCig/buns9VzAFdn8bu+bBc8Is5Bo48L v+6A== X-Gm-Message-State: ACgBeo2M83NV3Q/Gqt3LW12ENS2eNONNMcUQYnahtTlV2KhKbFee7I/w WxO3axxGfEEHMfCpKXg/gaFXgvd9Lk9zRAUVb94r X-Google-Smtp-Source: AA6agR41kshahHzOHokRZUKnpIW9g/i+LTC2cDfWo+NhTdS+UTJkI+SoWb4uW6VK9HAabIEYe6Ct3OITfI8JzSknsvQH X-Received: from ajr0.svl.corp.google.com ([2620:15c:2d4:203:2f41:f176:4bac:b729]) (user=axelrasmussen job=sendgmr) by 2002:a05:6902:722:b0:679:7ff8:1471 with SMTP id l2-20020a056902072200b006797ff81471mr240843ybt.352.1660772852878; Wed, 17 Aug 2022 14:47:32 -0700 (PDT) Date: Wed, 17 Aug 2022 14:47:23 -0700 Message-Id: <20220817214728.489904-1-axelrasmussen@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.1.595.g718a3a8f04-goog Subject: [PATCH v6 0/5] userfaultfd: add /dev/userfaultfd for fine grained access control From: Axel Rasmussen To: Alexander Viro , Andrew Morton , Dave Hansen , "Dmitry V . Levin" , Gleb Fotengauer-Malinovskiy , Hugh Dickins , Jan Kara , Jonathan Corbet , Mel Gorman , Mike Kravetz , Mike Rapoport , Nadav Amit , Peter Xu , Shuah Khan , Suren Baghdasaryan , Vlastimil Babka , zhangyi Cc: Axel Rasmussen , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660772853; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=ZccKepyy+mkkFUP/9kxuvptYUZUbOq684Zg6ooxPEl8=; b=wftbuhLmNt+nV4ZgkPHR5fDGB31OT1x9lEo7ooST/vJr0/3+zsLtTw42p3DwPudaXvQ2bH VdgB+0crsILNWu4bDugXRLzxHZqiLYqrnSY5JjBXN6va8mN89wxGj1dUsjqpC5tFf6JR6J tISAxypHtgQQz49TucNgFjW1+ocJ0OY= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=oAdGHMBI; spf=pass (imf13.hostedemail.com: domain of 39GH9Yg0KCMsrEv28r93B99v4x55x2v.t532z4BE-331Crt1.58x@flex--axelrasmussen.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=39GH9Yg0KCMsrEv28r93B99v4x55x2v.t532z4BE-331Crt1.58x@flex--axelrasmussen.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660772853; a=rsa-sha256; cv=none; b=QeRpbsBYpRPWVkKdXx8rFSuAxpFhJ9wXi7se1kKtBgGwsNFrfkRV21bgImZwSDOnTGD++a 2TZvJDUncwFqH9R9UFJQxxifLqBSPcRowg9qPn0u/mLC0BH1XFbg4Aus8ASf+t7zLtF+PP UMdG72UqA2317M3+d95PZ1A3sxYRTb4= Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=oAdGHMBI; spf=pass (imf13.hostedemail.com: domain of 39GH9Yg0KCMsrEv28r93B99v4x55x2v.t532z4BE-331Crt1.58x@flex--axelrasmussen.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=39GH9Yg0KCMsrEv28r93B99v4x55x2v.t532z4BE-331Crt1.58x@flex--axelrasmussen.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: ugbhpmr76yyj74mpe7p8mwia3bis6y9b X-Rspamd-Queue-Id: A255E2015F X-Rspam-User: X-Rspamd-Server: rspam01 X-HE-Tag: 1660772853-840631 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This series is based on torvalds/master. The series is split up like so: - Patch 1 is a simple fixup which we should take in any case (even by itself). - Patches 2-5 add the feature, configurable selftest support, and docs. Why not ...? ============ - Why not /proc/[pid]/userfaultfd? Two main points (additional discussion [1]): - /proc/[pid]/* files are all owned by the user/group of the process, and they don't really support chmod/chown. So, without extending procfs it doesn't solve the problem this series is trying to solve. - The main argument *for* this was to support creating UFFDs for remote processes. But, that use case clearly calls for CAP_SYS_PTRACE, so to support this we could just use the UFFD syscall as-is. - Why not use a syscall? Access to syscalls is generally controlled by capabilities. We don't have a capability which is used for userfaultfd access without also granting more / other permissions as well, and adding a new capability was rejected [2]. - It's possible a LSM could be used to control access instead, but I have some concerns. I don't think this approach would be as easy to use, particularly if we were to try to solve this with something heavyweight like SELinux. Maybe we could pursue adding a new LSM specifically for this user case, but it may be too narrow of a case to justify that. Changelog ========= v5->v6: - Modified selftest to exit with KSFT_SKIP *only* when features are unsupported, exiting with 1 in other error cases. [Mike] - Improved wording in two spots in the documentation. [Mike] - Picked up some Acked-by's. v4->v5: - Call userfaultfd_syscall_allowed() directly in the syscall, so we don't have to plumb a flag into new_userfaultfd(). [Nadav] - Refactored run_vmtests.sh to loop over UFFD test mods. [Nadav] - Reworded cover letter. - Picked up some Acked-by's. v3->v4: - Picked up an Acked-by on 5/5. - Updated cover letter to cover "why not ...". - Refactored userfaultfd_allowed() into userfaultfd_syscall_allowed(). [Peter] - Removed obsolete comment from a previous version. [Peter] - Refactored userfaultfd_open() in selftest. [Peter] - Reworded admin-guide documentation. [Mike, Peter] - Squashed 2 commits adding /dev/userfaultfd to selftest and making selftest configurable. [Peter] - Added "syscall" test modifier (the default behavior) to selftest. [Peter] v2->v3: - Rebased onto linux-next/akpm-base, in order to be based on top of the run_vmtests.sh refactor which was merged previously. - Picked up some Reviewed-by's. - Fixed ioctl definition (_IO instead of _IOWR), and stopped using compat_ptr_ioctl since it is unneeded for ioctls which don't take a pointer. - Removed the "handle_kernel_faults" bool, simplifying the code. The result is logically equivalent, but simpler. - Fixed userfaultfd selftest so it returns KSFT_SKIP appropriately. - Reworded documentation per Shuah's feedback on v2. - Improved example usage for userfaultfd selftest. v1->v2: - Add documentation update. - Test *both* userfaultfd(2) and /dev/userfaultfd via the selftest. [1]: https://patchwork.kernel.org/project/linux-mm/cover/20220719195628.3415852-1-axelrasmussen@google.com/ [2]: https://lore.kernel.org/lkml/686276b9-4530-2045-6bd8-170e5943abe4@schaufler-ca.com/T/ Axel Rasmussen (5): selftests: vm: add hugetlb_shared userfaultfd test to run_vmtests.sh userfaultfd: add /dev/userfaultfd for fine grained access control userfaultfd: selftests: modify selftest to use /dev/userfaultfd userfaultfd: update documentation to describe /dev/userfaultfd selftests: vm: add /dev/userfaultfd test cases to run_vmtests.sh Documentation/admin-guide/mm/userfaultfd.rst | 41 ++++++++++- Documentation/admin-guide/sysctl/vm.rst | 3 + fs/userfaultfd.c | 73 ++++++++++++++----- include/uapi/linux/userfaultfd.h | 4 ++ tools/testing/selftests/vm/run_vmtests.sh | 15 ++-- tools/testing/selftests/vm/userfaultfd.c | 76 +++++++++++++++++--- 6 files changed, 178 insertions(+), 34 deletions(-) --- 2.37.1.595.g718a3a8f04-goog