On Tue, Mar 12, 2019 at 08:58:30AM +0200, Mike Rapoport wrote:
[...]
> > +config USERFAULTFD_UNPRIVILEGED_DEFAULT
> > + string "Default behavior for unprivileged userfault syscalls"
> > + depends on USERFAULTFD
> > + default "disabled"
> > + help
> > + Set this to "enabled" to allow userfaultfd syscalls from
> > + unprivileged users. Set this to "disabled" to forbid
> > + userfaultfd syscalls from unprivileged users. Set this to
> > + "kvm" to forbid unpriviledged users but still allow users
> > + who had enough permission to open /dev/kvm.
>
> I'd phrase it a bit differently:
>
> This option controls privilege level required to execute userfaultfd
^
+---- add " the default"?
> system call.
>
> Set this to "enabled" to allow userfaultfd system call from unprivileged
> users.
> Set this to "disabled" to allow userfaultfd system call only for users who
> have ptrace capability.
> Set this to "kvm" to restrict userfaultfd system call usage to users with
^
add " who have ptrace capability, or" -------+
> permissions to open "/dev/kvm".
I think your version is better than mine, but I'd like to confirm
about above two extra changes before I squash them into the patch. :)
Thanks!
--
Peter Xu
