Re: Looking for users of userfaultfd(2) syscall in Fedora
* Colin Walters: > On Tue, Apr 6, 2021, at 4:30 PM, Florian Weimer wrote: >> * Ondrej Mosnacek: >> >> > Kernel 5.12 added support to SELinux for controlling access to the >> > userfaultfd interface [1][2] and we'd like to implement this in >> > Fedora's selinux-policy. However, once we add the corresponding class >> > to the policy, all SELinux domains for which we don't add the >> > appropriate rules will have any usage of userfaultfd(2) denied. >> >> What's special about this system call that this is necessary? > > https://lwn.net/Articles/835373/ I have some understanding of what the system call does, which is why I'm asking the question. Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 6, 2021, at 4:30 PM, Florian Weimer wrote: > * Ondrej Mosnacek: > > > Kernel 5.12 added support to SELinux for controlling access to the > > userfaultfd interface [1][2] and we'd like to implement this in > > Fedora's selinux-policy. However, once we add the corresponding class > > to the policy, all SELinux domains for which we don't add the > > appropriate rules will have any usage of userfaultfd(2) denied. > > What's special about this system call that this is necessary? https://lwn.net/Articles/835373/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 6, 2021 at 10:30 PM Florian Weimer wrote: > * Ondrej Mosnacek: > > > Kernel 5.12 added support to SELinux for controlling access to the > > userfaultfd interface [1][2] and we'd like to implement this in > > Fedora's selinux-policy. However, once we add the corresponding class > > to the policy, all SELinux domains for which we don't add the > > appropriate rules will have any usage of userfaultfd(2) denied. > > What's special about this system call that this is necessary? Our primary motivation is not so much to have this specific syscall covered, but rather to close the gap between what is supported by the kernel versus the policy. On the default "targeted" policy the security classes/permissions (think of this as individual kinds of operations that can be allowed or denied) that are unknown to the policy are allowed by default, but on the more strict "mls" variant they are denied. So once the kernel adds a new security class/permission, we are forced to implement it in some way so that the corresponding functionality is not blanket-denied on the MLS policy. It is of course possible to just allow the new operation globally if it's something not worth bothering with, but we rather try to follow the principle of least privilege and allow new things only where they are needed. That said, I heard that userfaultfd(2) has been used in some exploits, so there may be merit in trying to restrict its use (especially when the legitimate use seems to be limited to just a few applications). A quick Google search indeed reveals a few interesting examples: https://blog.lizzie.io/using-userfaultfd.html https://www.exploit-db.com/exploits/45983 https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html#heap-spraying -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 6, 2021 at 7:33 PM Zbigniew Jędrzejewski-Szmek wrote: > On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > > Hi all, > > > > Kernel 5.12 added support to SELinux for controlling access to the > > userfaultfd interface [1][2] and we'd like to implement this in > > Fedora's selinux-policy. However, once we add the corresponding class > > to the policy, all SELinux domains for which we don't add the > > appropriate rules will have any usage of userfaultfd(2) denied. > > https://codesearch.debian.net/search?q=userfaultfd(=1 > lists a few candidates… Thanks, that's a nice tool! Filtering out false-positives, the kernel itself, and user programs that would normally run under unconfined_t, packages dead in Fedora, ..., the only relevant one seems to be 'criu' (already mentioned in this thread). Strange that it didn't find QEMU... maybe needs a more generic search... -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
* Ondrej Mosnacek: > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. What's special about this system call that this is necessary? Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
* Zbigniew Jędrzejewski-Szmek: > The code is available. From what I remember, they had a fairly beefy > server dedicated to the indexing... But if somebody provides that, it > should be fairly easy to duplicate. Michael even expressed interest about setting up an instance, if I recall correctly, but that was quite some time ago. Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 06, 2021 at 01:20:33PM -0400, Matthew Miller wrote: > On Tue, Apr 06, 2021 at 05:16:52PM +, Zbigniew Jędrzejewski-Szmek wrote: > > https://codesearch.debian.net/search?q=userfaultfd(=1 > > lists a few candidates… > > You beat me to this suggestion. :) > > I'd love for Fedora to someday have a similar service! Me too ;) The code is available. From what I remember, they had a fairly beefy server dedicated to the indexing... But if somebody provides that, it should be fairly easy to duplicate. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 06, 2021 at 05:16:52PM +, Zbigniew Jędrzejewski-Szmek wrote: > https://codesearch.debian.net/search?q=userfaultfd(=1 > lists a few candidates… You beat me to this suggestion. :) I'd love for Fedora to someday have a similar service! -- Matthew Miller Fedora Project Leader ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > Hi all, > > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. > > Therefore, we would like to identify as many users of this syscall as > possible before we make that change, so that we can add and test all > the needed rules in one go, minimizing the amount of denials found > after the fact. My understanding is that userfaultfd(2) doesn't have > many users among system services, so it should be possible to catch > most/all of them in advance. > > So if you know that your (or any other) Fedora component uses > userfaultfd(2), please let us know. AFAIK, at least QEMU most likely > uses it, so we'll have that one on our radar, but we'd like to know if > there are any other programs/services we need to cover. Yes, QEMU, uses userfaultfd(2) for its post-copy live migration feature, so we'll need that allowed in the svirt_t / svirt_tcg_t types. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > Hi all, > > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. https://codesearch.debian.net/search?q=userfaultfd(=1 lists a few candidates… Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Looking for users of userfaultfd(2) syscall in Fedora
On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > Hi all, > > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. > > Therefore, we would like to identify as many users of this syscall as > possible before we make that change, so that we can add and test all > the needed rules in one go, minimizing the amount of denials found > after the fact. My understanding is that userfaultfd(2) doesn't have > many users among system services, so it should be possible to catch > most/all of them in advance. > > So if you know that your (or any other) Fedora component uses > userfaultfd(2), please let us know. AFAIK, at least QEMU most likely > uses it, so we'll have that one on our radar, but we'd like to know if > there are any other programs/services we need to cover. CRIU can use userfaultfd to lazy migrate processes from one host to another. It can be also triggered from runc when migrating containers. As far as I know userfaultfd based container migration is not exposed in any container engine above the level of runc. Adrian signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Looking for users of userfaultfd(2) syscall in Fedora
Hi all, Kernel 5.12 added support to SELinux for controlling access to the userfaultfd interface [1][2] and we'd like to implement this in Fedora's selinux-policy. However, once we add the corresponding class to the policy, all SELinux domains for which we don't add the appropriate rules will have any usage of userfaultfd(2) denied. Therefore, we would like to identify as many users of this syscall as possible before we make that change, so that we can add and test all the needed rules in one go, minimizing the amount of denials found after the fact. My understanding is that userfaultfd(2) doesn't have many users among system services, so it should be possible to catch most/all of them in advance. So if you know that your (or any other) Fedora component uses userfaultfd(2), please let us know. AFAIK, at least QEMU most likely uses it, so we'll have that one on our radar, but we'd like to know if there are any other programs/services we need to cover. Thanks! [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29cd6591ab6fee3125ea5c1bf350f5013bc615e1 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b537900f1598b67bcb8acac20da73c6e26ebbf99 -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
