From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F4D7C433DB for ; Fri, 29 Jan 2021 07:09:03 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id CC6EF64D9A for ; Fri, 29 Jan 2021 07:09:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CC6EF64D9A Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 3D60B6B0005; Fri, 29 Jan 2021 02:09:02 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3854B6B006C; Fri, 29 Jan 2021 02:09:02 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 29C5F6B0071; Fri, 29 Jan 2021 02:09:02 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0091.hostedemail.com [216.40.44.91]) by kanga.kvack.org (Postfix) with ESMTP id 10A1E6B0005 for ; Fri, 29 Jan 2021 02:09:02 -0500 (EST) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id C00D01EE6 for ; Fri, 29 Jan 2021 07:09:01 +0000 (UTC) X-FDA: 77757935682.03.mind13_3210373275a6 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin03.hostedemail.com (Postfix) with ESMTP id 956BD28A4E8 for ; Fri, 29 Jan 2021 07:09:01 +0000 (UTC) X-HE-Tag: mind13_3210373275a6 X-Filterd-Recvd-Size: 8800 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by imf16.hostedemail.com (Postfix) with ESMTP for ; Fri, 29 Jan 2021 07:09:00 +0000 (UTC) Received: by mail-wr1-f52.google.com with SMTP id c4so5055345wru.9 for ; Thu, 28 Jan 2021 23:09:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ult8zy5xj/tXqtlGi7vShUkHJCjjlZrRLpldHENqRBY=; b=cBaGDGS2QWOESKozRcZotuvwRupav2CXJF7ahIQn+h0+WO/z5SKkLUccJxo94nXNxH YMWlfKR6c92aQ2FN85YA+iC3zVa9/YotWR2/M4RrUJkLCg8KkPiYz0QJY7K9vjX+mZP3 mqpAQxkjD4DWL6MihojpYmp07WiSff6r4bobkkvj3TWHMfqswBanlkTM3Jux2xrbOLV/ oXbWTl9ByjD7RWsvYtodlLu3DMya7dPa/ZuXPnbMSv9tM0IfO55LepZY+Yc7H0/mVuwC wjOmsKA8p7Ln7TNXXQz0rSc9DEnGSzZ9QAEiNusnTVWGmLmgKho7JsLOY/B9sDxpB3TM C3Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ult8zy5xj/tXqtlGi7vShUkHJCjjlZrRLpldHENqRBY=; b=ep5MIOrPEL5HWWIlaoJCoI9eiVKjiu6QoFHMmnF54FBamTUmp/XpGGeNqGhrsS2r52 yZYKowuI8AtvlXPEm2OBX5ICRcj5Ckql4QM20LsrR60Quf5aJirnZ5UpKn9ME3u3cPa8 F6ZU7mreZl5+X7iLX0yBaonajXAc47o8fbxyrQbELgiFLj+I83yAfc2D2Yg9xFXtRCSy /T3nDxjCoiCHZ5+QIYGM9DGOZIwp1If1aAE9pPYI74M3IdAuuWxx8acvQjAw+fA0F+Li 7r5xZfO2sjYkt3ExzKQOlhy3m/tfniDDfymuMUmBZGPTmBg7Ba44FeVI7JH9tjJPjG8P D7dw== X-Gm-Message-State: AOAM532jeUQszgFDm99y8eqVVoHNUnXA/xAIDiMHpPJkJSmGWnaamu6J 49WOJF7zypCm22lcYBaoIvQDYkQOdJYQmR0q/8/IZA== X-Google-Smtp-Source: ABdhPJzkowp1ilp+OFPEIMbGb6vSG9e69uA79k3/vA8VNzv9ZTNBTpkBH2Stn5OWV7WFH9rQ1eD4rtL1bZyOdiGOgOI= X-Received: by 2002:adf:e50e:: with SMTP id j14mr2960460wrm.162.1611904139317; Thu, 28 Jan 2021 23:08:59 -0800 (PST) MIME-Version: 1.0 References: <20210111170622.2613577-1-surenb@google.com> <20210112074629.GG22493@dhcp22.suse.cz> <20210112174507.GA23780@redhat.com> <20210113142202.GC22493@dhcp22.suse.cz> <20210126135254.GP827@dhcp22.suse.cz> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 28 Jan 2021 23:08:48 -0800 Message-ID: Subject: Re: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for process_madvise To: Michal Hocko Cc: Jann Horn , Oleg Nesterov , Andrew Morton , Kees Cook , Jeffrey Vander Stoep , Minchan Kim , Shakeel Butt , David Rientjes , =?UTF-8?Q?Edgar_Arriaga_Garc=C3=ADa?= , Tim Murray , linux-mm , SElinux list , Linux API , LKML , kernel-team , linux-security-module , stable Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 28, 2021 at 11:51 AM Suren Baghdasaryan wrote: > > On Tue, Jan 26, 2021 at 5:52 AM 'Michal Hocko' via kernel-team > wrote: > > > > On Wed 20-01-21 14:17:39, Jann Horn wrote: > > > On Wed, Jan 13, 2021 at 3:22 PM Michal Hocko wrote: > > > > On Tue 12-01-21 09:51:24, Suren Baghdasaryan wrote: > > > > > On Tue, Jan 12, 2021 at 9:45 AM Oleg Nesterov wrote: > > > > > > > > > > > > On 01/12, Michal Hocko wrote: > > > > > > > > > > > > > > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote: > > > > > > > > > > > > > > > What we want is the ability for one process to influence another process > > > > > > > > in order to optimize performance across the entire system while leaving > > > > > > > > the security boundary intact. > > > > > > > > Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ > > > > > > > > and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata > > > > > > > > and CAP_SYS_NICE for influencing process performance. > > > > > > > > > > > > > > I have to say that ptrace modes are rather obscure to me. So I cannot > > > > > > > really judge whether MODE_READ is sufficient. My understanding has > > > > > > > always been that this is requred to RO access to the address space. But > > > > > > > this operation clearly has a visible side effect. Do we have any actual > > > > > > > documentation for the existing modes? > > > > > > > > > > > > > > I would be really curious to hear from Jann and Oleg (now Cced). > > > > > > > > > > > > Can't comment, sorry. I never understood these security checks and never tried. > > > > > > IIUC only selinux/etc can treat ATTACH/READ differently and I have no idea what > > > > > > is the difference. > > > > > > Yama in particular only does its checks on ATTACH and ignores READ, > > > that's the difference you're probably most likely to encounter on a > > > normal desktop system, since some distros turn Yama on by default. > > > Basically the idea there is that running "gdb -p $pid" or "strace -p > > > $pid" as a normal user will usually fail, but reading /proc/$pid/maps > > > still works; so you can see things like detailed memory usage > > > information and such, but you're not supposed to be able to directly > > > peek into a running SSH client and inject data into the existing SSH > > > connection, or steal the cryptographic keys for the current > > > connection, or something like that. > > > > > > > > I haven't seen a written explanation on ptrace modes but when I > > > > > consulted Jann his explanation was: > > > > > > > > > > PTRACE_MODE_READ means you can inspect metadata about processes with > > > > > the specified domain, across UID boundaries. > > > > > PTRACE_MODE_ATTACH means you can fully impersonate processes with the > > > > > specified domain, across UID boundaries. > > > > > > > > Maybe this would be a good start to document expectations. Some more > > > > practical examples where the difference is visible would be great as > > > > well. > > > > > > Before documenting the behavior, it would be a good idea to figure out > > > what to do with perf_event_open(). That one's weird in that it only > > > requires PTRACE_MODE_READ, but actually allows you to sample stuff > > > like userspace stack and register contents (if perf_event_paranoid is > > > 1 or 2). Maybe for SELinux things (and maybe also for Yama), there > > > should be a level in between that allows fully inspecting the process > > > (for purposes like profiling) but without the ability to corrupt its > > > memory or registers or things like that. Or maybe perf_event_open() > > > should just use the ATTACH mode. > > > > Thanks for the clarification. I still cannot say I would have a good > > mental picture. Having something in Documentation/core-api/ sounds > > really needed. Wrt to perf_event_open it sounds really odd it can do > > more than other places restrict indeed. Something for the respective > > maintainer but I strongly suspect people simply copy the pattern from > > other places because the expected semantic is not really clear. > > > > Sorry, back to the matters of this patch. Are there any actionable > items for me to take care of before it can be accepted? The only > request from Andrew to write a man page is being worked on at > https://lore.kernel.org/linux-mm/20210120202337.1481402-1-surenb@google.com/ > and I'll follow up with the next version. I also CC'ed stable@ for > this to be included into 5.10 per Andrew's request. That CC was lost > at some point, so CC'ing again. > > I do not see anything else on this patch to fix. Please chime in if > there are any more concerns, otherwise I would ask Andrew to take it > into mm-tree and stable@ to apply it to 5.10. > Thanks! process_madvise man page V2 is posted at: https://lore.kernel.org/linux-mm/20210129070340.566340-1-surenb@google.com/ > > > > -- > > Michal Hocko > > SUSE Labs > > > > -- > > To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com. > >