add CONFIG for unprivileged_userfaultfd

When disabled, unprivileged users will not be able to use the userfaultfd syscall. Userfaultfd provide attackers with a way to stall a kernel thread in the middle of memory accesses from userspace by initiating an access on an unmapped page. To avoid various heap grooming and heap spraying techniques for exploiting use-after-free flaws this should be disabled by default. This setting can be overridden at runtime via the vm.unprivileged_userfaultfd sysctl. Signed-off-by: Levente Polyak <levente@leventepolyak.net>
anthraxx · Apr 4, 2020 · a712392 · a712392
1 parent 94b231b
commit a712392
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
@@ -28,7 +28,11 @@
 #include <linux/security.h>
 #include <linux/hugetlb.h>
 
+#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED
 int sysctl_unprivileged_userfaultfd __read_mostly = 1;
+#else
+int sysctl_unprivileged_userfaultfd __read_mostly;
+#endif
 
 static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly;
 

diff --git a/init/Kconfig b/init/Kconfig
@@ -1661,6 +1661,23 @@ config USERFAULTFD
 	  Enable the userfaultfd() system call that allows to intercept and
 	  handle page faults in userland.
 
+config USERFAULTFD_UNPRIVILEGED
+	bool "Allow unprivileged users to use the userfaultfd syscall"
+	depends on USERFAULTFD
+	default n
+	help
+	  When disabled, unprivileged users will not be able to use the userfaultfd
+	  syscall. Userfaultfd provide attackers with a way to stall a kernel
+	  thread in the middle of memory accesses from userspace by initiating an
+	  access on an unmapped page. To avoid various heap grooming and heap
+	  spraying techniques for exploiting use-after-free flaws this should be
+	  disabled by default.
+
+	  This setting can be overridden at runtime via the
+	  vm.unprivileged_userfaultfd sysctl.
+
+	  If unsure, say N.
+
 config ARCH_HAS_MEMBARRIER_CALLBACKS
 	bool