Feature #17196
Disable unprivileged userfaultfd
100%
Description
The userfaultfd()
syscall has had numerous security issues ever since it was released. It is of no use to Tails, so it should be disabled for security. Linux recently provided the option to restrict this syscall to the root user to mitigate the security issues. This can be done by setting the sysctl vm.unprivileged_userfaultfd
to 0. This feature request is similar to related sysctl hardening tickets like Feature #11827, Feature #11840, Feature #11421, and Feature #12025.
Subtasks
History
#1 Updated by intrigeri 2019-10-31 11:38:57
- Status changed from New to Confirmed
This proposal makes sense to me. It would be sweet if someone ran our full test suite on an image with this implemented, to check that it does not break anything (at the moment Debian’s codesearch is broken so I can’t check where this syscall is used).
#2 Updated by denkxor 2019-11-03 19:52:06
Added the new option here: https://gitlab.com/denkxor/tails/commit/52fca4d1710fd73126f43360412e0a2e4c177e2e
#3 Updated by denkxor 2019-11-03 21:12:58
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|469f7de47512d081dbcd8034ad6aa14efcf81efb.
#4 Updated by segfault 2019-11-03 22:09:00
- Feature Branch set to feature/17196-disable-unprivileged-userfaultfd
denkxor wrote:
> Added the new option here: https://gitlab.com/denkxor/tails/commit/52fca4d1710fd73126f43360412e0a2e4c177e2e
Thanks! I cherry-picked your commit to a new branch on tails.git (based on the stable branch, so that we could release it in 4.1), so that we can run our test suite on it.
#5 Updated by segfault 2019-11-06 13:36:36
- Feature Branch changed from feature/17196-disable-unprivileged-userfaultfd to feature/17196-disable-unprivileged-userfaultfd+force-all-tests
Forgot to name the branch correctly, so that actually the full test suite is executed.
#6 Updated by intrigeri 2019-11-11 15:44:43
- Status changed from In Progress to Needs Validation
- Assignee set to intrigeri
#7 Updated by intrigeri 2019-11-11 15:50:18
- Target version set to Tails_4.1
#8 Updated by intrigeri 2019-11-11 15:51:00
- Status changed from Needs Validation to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:tails|4997d82f378a4e717d337c486f7d6ceeec379d5f.