add CONFIG for unprivileged_userfaultfd

When disabled, unprivileged users will not be able to use the userfaultfd
syscall. Userfaultfd provide attackers with a way to stall a kernel
thread in the middle of memory accesses from userspace by initiating an
access on an unmapped page. To avoid various heap grooming and heap
spraying techniques for exploiting use-after-free flaws this should be
disabled by default.

This setting can be overridden at runtime via the
vm.unprivileged_userfaultfd sysctl.

Signed-off-by: Levente Polyak <[email protected]>

Author: anthraxx

fs/userfaultfd.c

@@ -28,7 +28,11 @@
 #include <linux/security.h>
 #include <linux/hugetlb.h>
 
+#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED
 int sysctl_unprivileged_userfaultfd __read_mostly = 1;
+#else
+int sysctl_unprivileged_userfaultfd __read_mostly;
+#endif
 
 static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly;
 

init/Kconfig

@@ -1733,6 +1733,23 @@ config USERFAULTFD
 	  Enable the userfaultfd() system call that allows to intercept and
 	  handle page faults in userland.
 
+config USERFAULTFD_UNPRIVILEGED
+	bool "Allow unprivileged users to use the userfaultfd syscall"
+	depends on USERFAULTFD
+	default n
+	help
+	  When disabled, unprivileged users will not be able to use the userfaultfd
+	  syscall. Userfaultfd provide attackers with a way to stall a kernel
+	  thread in the middle of memory accesses from userspace by initiating an
+	  access on an unmapped page. To avoid various heap grooming and heap
+	  spraying techniques for exploiting use-after-free flaws this should be
+	  disabled by default.
+
+	  This setting can be overridden at runtime via the
+	  vm.unprivileged_userfaultfd sysctl.
+
+	  If unsure, say N.
+
 config ARCH_HAS_MEMBARRIER_CALLBACKS
 	bool