Hi all, Somewhat recently, this series [1] added UFFD_USER_MODE_ONLY. The idea is, letting userspace intercept kernel faults opens a potential attack surface, so it's better to restrict this by default. However, consider the use case of live migration. We have some userspace process on the migration target, which needs to handle kernel faults. With this series, we have two options: 1. Grant this userspace process more privileges - CAP_SYS_PTRACE, run as root, etc. 2. Disable the UFFD_USER_MODE_ONLY restriction, via vm.userfault. We would prefer not to do (2), as this opens up the attack surface [1] was originally trying to address. We'd also prefer not to do (1), because it sort of grants the live migration handler the permissions it needs, *plus a lot more*. It's sort of not fine grained enough. So, what are your thoughts on adding a new CAP_USERFAULTFD, as a more fine grained way to grant this specific permission? It seems like there is some precedent for this - take CAP_CHECKPOINT_RESTORE, for example. If this passes a quick sanity check, I can send a series which does this for review. Thanks! [1]: https://lore.kernel.org/patchwork/cover/1342060/
