On Thu, Jun 22, 2023 at 4:45 PM Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > I wanted to execute some kernel workloads in a fully isolated user > space process, started from a binary statically linked with klibc, > connected to the kernel only through a pipe. FWIW, the kernel has some infrastructure for this already, see CONFIG_USERMODE_DRIVER and kernel/usermode_driver.c, with a usage example in net/bpfilter/. > I also wanted that, for the root user, tampering with that process is > as hard as if the same code runs in kernel space. I believe that actually making it that hard would probably mean that you'd have to ensure that the process doesn't use swap (in other words, it would have to run with all memory locked), because root can choose where swapped pages are stored. Other than that, if you mark it as a kthread so that no ptrace access is allowed, you can probably get pretty close. But if you do anything like that, please leave some way (like a kernel build config option or such) to enable debugging for these processes. But I'm not convinced that it makes sense to try to draw a security boundary between fully-privileged root (with the ability to mount things and configure swap and so on) and the kernel - my understanding is that some kernel subsystems don't treat root-to-kernel privilege escalation issues as security bugs that have to be fixed.
