[PATCH] userfaultfd, capability: introduce CAP_USERFAULTFD
Peter Xu
peterx at redhat.com
Fri Feb 25 02:58:26 UTC 2022
On Thu, Feb 24, 2022 at 04:39:44PM -0800, Casey Schaufler wrote:
> What I'd want to see is multiple users where the use of CAP_USERFAULTD
> is independent of the use of CAP_SYS_PTRACE. That is, the programs would
> never require CAP_SYS_PTRACE. There should be demonstrated real value.
> Not just that a compromised program with CAP_SYS_PTRACE can do bad things,
> but that the programs with CAP_USERFAULTDD are somehow susceptible to
> being exploited to doing those bad things. Hypothetical users are just
> that, and often don't materialize.
I kind of have the same question indeed..
The use case we're talking about is VM migration, and the in-question
subject is literally the migration process or thread. Isn't that a trusted
piece of software already?
Then the question is why the extra capability (in CAP_PTRACE but not in
CAP_UFFD) could bring much risk to the system. Axel, did I miss something
important?
Thanks,
--
Peter Xu
More information about the Linux-security-module-archive
mailing list