On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: Yes, QEMU, uses userfaultfd(2) for its post-copy live migration feature, so we'll need that allowed in the svirt_t / svirt_tcg_t types. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Tue, Apr 6, 2021 at 10:30 PM Florian Weimer <fweimer(a)redhat.com&gt; wrote: Our primary motivation is not so much to have this specific syscall covered, but rather to close the gap between what is supported by the kernel versus the policy. On the default "targeted" policy the security classes/permissions (think of this as individual kinds of operations that can be allowed or denied) that are unknown to the policy are allowed by default, but on the more strict "mls" variant they are denied. So once the kernel adds a new security class/permission, we are forced to implement it in some way so that the corresponding functionality is not blanket-denied on the MLS policy. It is of course possible to just allow the new operation globally if it's something not worth bothering with, but we rather try to follow the principle of least privilege and allow new things only where they are needed. That said, I heard that userfaultfd(2) has been used in some exploits, so there may be merit in trying to restrict its use (especially when the legitimate use seems to be limited to just a few applications). A quick Google search indeed reveals a few interesting examples: https://blog.lizzie.io/using-userfaultfd.html https://www.exploit-db.com/exploits/45983 https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html#heap-spraying -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.