Discussion:
Looking for users of userfaultfd(2) syscall in Fedora
Ondrej Mosnacek
2021-04-06 16:57:27 UTC
Permalink
Hi all,

Kernel 5.12 added support to SELinux for controlling access to the
userfaultfd interface [1][2] and we'd like to implement this in
Fedora's selinux-policy. However, once we add the corresponding class
to the policy, all SELinux domains for which we don't add the
appropriate rules will have any usage of userfaultfd(2) denied.

Therefore, we would like to identify as many users of this syscall as
possible before we make that change, so that we can add and test all
the needed rules in one go, minimizing the amount of denials found
after the fact. My understanding is that userfaultfd(2) doesn't have
many users among system services, so it should be possible to catch
most/all of them in advance.

So if you know that your (or any other) Fedora component uses
userfaultfd(2), please let us know. AFAIK, at least QEMU most likely
uses it, so we'll have that one on our radar, but we'd like to know if
there are any other programs/services we need to cover.

Thanks!

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29cd6591ab6fee3125ea5c1bf350f5013bc615e1
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b537900f1598b67bcb8acac20da73c6e26ebbf99
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/
Daniel P. Berrangé
2021-04-06 17:19:03 UTC
Permalink
Post by Ondrej Mosnacek
Hi all,
Kernel 5.12 added support to SELinux for controlling access to the
userfaultfd interface [1][2] and we'd like to implement this in
Fedora's selinux-policy. However, once we add the corresponding class
to the policy, all SELinux domains for which we don't add the
appropriate rules will have any usage of userfaultfd(2) denied.
Therefore, we would like to identify as many users of this syscall as
possible before we make that change, so that we can add and test all
the needed rules in one go, minimizing the amount of denials found
after the fact. My understanding is that userfaultfd(2) doesn't have
many users among system services, so it should be possible to catch
most/all of them in advance.
So if you know that your (or any other) Fedora component uses
userfaultfd(2), please let us know. AFAIK, at least QEMU most likely
uses it, so we'll have that one on our radar, but we'd like to know if
there are any other programs/services we need to cover.
Yes, QEMU, uses userfaultfd(2) for its post-copy live migration
feature, so we'll need that allowed in the svirt_t / svirt_tcg_t
types.

Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-in
Matthew Miller
2021-04-06 17:20:33 UTC
Permalink
https://codesearch.debian.net/search?q=userfaultfd(&literal=1
lists a few candidates…
You beat me to this suggestion. :)

I'd love for Fedora to someday have a similar service!

--
Matthew Miller
<***@fedoraproject.org>
Fedora Project Leader
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the lis
Florian Weimer
2021-04-06 20:29:35 UTC
Permalink
The code is available. From what I remember, they had a fairly beefy
server dedicated to the indexing... But if somebody provides that, it
should be fairly easy to duplicate.
Michael even expressed interest about setting up an instance, if I
recall correctly, but that was quite some time ago.

Thanks,
Florian
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedor
Florian Weimer
2021-04-06 20:30:39 UTC
Permalink
Post by Ondrej Mosnacek
Kernel 5.12 added support to SELinux for controlling access to the
userfaultfd interface [1][2] and we'd like to implement this in
Fedora's selinux-policy. However, once we add the corresponding class
to the policy, all SELinux domains for which we don't add the
appropriate rules will have any usage of userfaultfd(2) denied.
What's special about this system call that this is necessary?

Thanks,
Florian
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, repo
Ondrej Mosnacek
2021-04-07 13:26:46 UTC
Permalink
Post by Florian Weimer
Post by Ondrej Mosnacek
Kernel 5.12 added support to SELinux for controlling access to the
userfaultfd interface [1][2] and we'd like to implement this in
Fedora's selinux-policy. However, once we add the corresponding class
to the policy, all SELinux domains for which we don't add the
appropriate rules will have any usage of userfaultfd(2) denied.
What's special about this system call that this is necessary?
Our primary motivation is not so much to have this specific syscall
covered, but rather to close the gap between what is supported by the
kernel versus the policy. On the default "targeted" policy the
security classes/permissions (think of this as individual kinds of
operations that can be allowed or denied) that are unknown to the
policy are allowed by default, but on the more strict "mls" variant
they are denied. So once the kernel adds a new security
class/permission, we are forced to implement it in some way so that
the corresponding functionality is not blanket-denied on the MLS
policy. It is of course possible to just allow the new operation
globally if it's something not worth bothering with, but we rather try
to follow the principle of least privilege and allow new things only
where they are needed.

That said, I heard that userfaultfd(2) has been used in some exploits,
so there may be merit in trying to restrict its use (especially when
the legitimate use seems to be limited to just a few applications). A
quick Google search indeed reveals a few interesting examples:
https://blog.lizzie.io/using-userfaultfd.html
https://www.exploit-db.com/exploits/45983
https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html#heap-spraying
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastruct
Ondrej Mosnacek
2021-04-07 13:22:44 UTC
Permalink
On Tue, Apr 6, 2021 at 7:33 PM Zbigniew Jędrzejewski-Szmek
Post by Ondrej Mosnacek
Hi all,
Kernel 5.12 added support to SELinux for controlling access to the
userfaultfd interface [1][2] and we'd like to implement this in
Fedora's selinux-policy. However, once we add the corresponding class
to the policy, all SELinux domains for which we don't add the
appropriate rules will have any usage of userfaultfd(2) denied.
https://codesearch.debian.net/search?q=userfaultfd(&literal=1
lists a few candidates…
Thanks, that's a nice tool!

Filtering out false-positives, the kernel itself, and user programs
that would normally run under unconfined_t, packages dead in Fedora,
..., the only relevant one seems to be 'criu' (already mentioned in
this thread). Strange that it didn't find QEMU... maybe needs a more
generic search...
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-
Loading...