Re: [PATCH 2/2] Add a new sysctl knob: unprivileged_userfaultfd_user_mode_only
From: Jeffrey Vander Stoep <hidden>
Date: 2020-07-17 12:57:32
Also in:
linux-fsdevel, lkml
From: Jeffrey Vander Stoep <hidden>
Date: 2020-07-17 12:57:32
Also in:
linux-fsdevel, lkml
On Wed, May 20, 2020 at 11:17 PM Andrea Arcangeli [off-list ref] wrote:
On Wed, May 20, 2020 at 01:17:20PM -0700, Lokesh Gidra wrote:quoted
Adding the Android kernel team in the discussion.Unless I'm mistaken that you can already enforce bit 1 of the second parameter of the userfaultfd syscall to be set with seccomp-bpf, this would be more a question to the Android userland team. The question would be: does it ever happen that a seccomp filter isn't already applied to unprivileged software running without SYS_CAP_PTRACE capability?
Yes. Android uses selinux as our primary sandboxing mechanism. We do use seccomp on a few processes, but we have found that it has a surprisingly high performance cost [1] on arm64 devices so turning it on system wide is not a good option. [1] https://lore.kernel.org/linux-security-module/202006011116.3F7109A@keescook/T/#m82ace19539ac595682affabdf652c0ffa5d27dad (local)
If answer is "no" the behavior of the new sysctl in patch 2/2 (in subject) should be enforceable with minor changes to the BPF assembly. Otherwise it'd require more changes. Thanks! Andrea