On Wed, May 20, 2020 at 11:17 PM Andrea Arcangeli <aarcange@xxxxxxxxxx> wrote: > > On Wed, May 20, 2020 at 01:17:20PM -0700, Lokesh Gidra wrote: > > Adding the Android kernel team in the discussion. > > Unless I'm mistaken that you can already enforce bit 1 of the second > parameter of the userfaultfd syscall to be set with seccomp-bpf, this > would be more a question to the Android userland team. > > The question would be: does it ever happen that a seccomp filter isn't > already applied to unprivileged software running without > SYS_CAP_PTRACE capability? Yes. Android uses selinux as our primary sandboxing mechanism. We do use seccomp on a few processes, but we have found that it has a surprisingly high performance cost [1] on arm64 devices so turning it on system wide is not a good option. [1] https://lore.kernel.org/linux-security-module/202006011116.3F7109A@keescook/T/#m82ace19539ac595682affabdf652c0ffa5d27dad > > > If answer is "no" the behavior of the new sysctl in patch 2/2 (in > subject) should be enforceable with minor changes to the BPF > assembly. Otherwise it'd require more changes. > > Thanks! > Andrea >
