Project

General

Profile

Feature #17196

Disable unprivileged userfaultfd

Added by cypherpunks 3 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
feature/17196-disable-unprivileged-userfaultfd+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

The userfaultfd() syscall has had numerous security issues ever since it was released. It is of no use to Tails, so it should be disabled for security. Linux recently provided the option to restrict this syscall to the root user to mitigate the security issues. This can be done by setting the sysctl vm.unprivileged_userfaultfd to 0. This feature request is similar to related sysctl hardening tickets like #11827, #11840, #11421, and #12025.

Associated revisions

Revision 469f7de4 (diff)
Added by denkxor 3 months ago

Disable unprivileged userfaultfd (refs: #17196)

Revision 4997d82f
Added by intrigeri 3 months ago

Merge remote-tracking branch 'origin/feature/17196-disable-unprivileged-userfaultfd+force-all-tests' into stable

Closes: #17196

History

#1 Updated by intrigeri 3 months ago

  • Status changed from New to Confirmed

This proposal makes sense to me. It would be sweet if someone ran our full test suite on an image with this implemented, to check that it does not break anything (at the moment Debian's codesearch is broken so I can't check where this syscall is used).

#3 Updated by denkxor 3 months ago

  • Status changed from Confirmed to In Progress

#4 Updated by segfault 3 months ago

  • Feature Branch set to feature/17196-disable-unprivileged-userfaultfd

denkxor wrote:

Added the new option here: https://gitlab.com/denkxor/tails/commit/52fca4d1710fd73126f43360412e0a2e4c177e2e

Thanks! I cherry-picked your commit to a new branch on tails.git (based on the stable branch, so that we could release it in 4.1), so that we can run our test suite on it.

#5 Updated by segfault 3 months ago

  • Feature Branch changed from feature/17196-disable-unprivileged-userfaultfd to feature/17196-disable-unprivileged-userfaultfd+force-all-tests

Forgot to name the branch correctly, so that actually the full test suite is executed.

#6 Updated by intrigeri 3 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee set to intrigeri

#7 Updated by intrigeri 3 months ago

  • Target version set to Tails_4.1

#8 Updated by intrigeri 3 months ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF