From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=UbJL=ID=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-28.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 545CDC433E0
	for <linux-mm@archiver.kernel.org>; Fri,  5 Mar 2021 18:08:38 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id CBA4B65074
	for <linux-mm@archiver.kernel.org>; Fri,  5 Mar 2021 18:08:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CBA4B65074
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4C3A16B005D; Fri,  5 Mar 2021 13:08:37 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 49A546B006C; Fri,  5 Mar 2021 13:08:37 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 313EA6B006E; Fri,  5 Mar 2021 13:08:37 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0215.hostedemail.com [216.40.44.215])
	by kanga.kvack.org (Postfix) with ESMTP id A7B176B005D
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 13:08:36 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 5957118024A63
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 18:08:36 +0000 (UTC)
X-FDA: 77886605832.14.BD51DD0
Received: from mail-yb1-f172.google.com (mail-yb1-f172.google.com [209.85.219.172])
	by imf27.hostedemail.com (Postfix) with ESMTP id 55CAB80192E8
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 18:08:27 +0000 (UTC)
Received: by mail-yb1-f172.google.com with SMTP id p193so2872646yba.4
        for <linux-mm@kvack.org>; Fri, 05 Mar 2021 10:08:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=i+6o5aVNdSv/9PF60BXlGDu7aBq8OxaHxrB0uLUzYrc=;
        b=Ny7RBbrR4UlOHG+dSivV32D5lTfFDCzcqftIe4uJ3WEY9i2EmbM46Yx3Zsf75eQzjh
         25bgNEBZHgpoLKAwZZtYu80p74H/p+WQ1aPU4sTbAqKqI/hPS17ucdidYpFSCmy9CfGR
         pSbu/iLFv0UdpdJV5sspL9FXS3QixX75F9ifzlpm+dogqs4rlJPoee7316SO7JPSl/78
         364PENxK8UAci0rkZBNJMCDtnHDFY6kSmGYTr9eVnXDOsmX2bUWvlnkRJesiyfi7VrZd
         rFpWHDvFxpIORgE5AgAjTstkr43hqtBRKxomoIBoju1bRkumL1zhVMGpeOENsGLpCik2
         CPxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=i+6o5aVNdSv/9PF60BXlGDu7aBq8OxaHxrB0uLUzYrc=;
        b=P3mXtwnXziFPcBuB/3UJ8dGvuORLPJkSamBYj8ho606qaW7TP6Renj0RGZNJMq1o+g
         HJPv76UXdR5xhto5q87fQDjJ5XMYNz7EcPOk1DIuKWTluEqhFzyow9JRqb/6njmeMFUi
         P6Y62D20yB/VWwu9ts0+B0vFU9+qsybWdP/HJVAD2OmUOKqfXMBH1o6HBE4LuxO3lAtR
         uxkq3NxhDxDCyioS3XZwCWFJID75HNzSzXCpb4QN/LaUM5jxiRLCNKq2bCD4Qet+WONh
         BOR8ubJpYYg128hFCzUMOUo+rl0aQ55EXI0EKMV4s7HRsBY7Ow8sQBQIQqNoaAjsaDlA
         FfYw==
X-Gm-Message-State: AOAM530hmjXYghVR/815LI2lJyAAl9kGOlsKJshuBhZwEUOflv5YVwjb
	Jrf2hOs4HDFKe6i3geckEmr5qkR/Vp29l95NFBbL6A==
X-Google-Smtp-Source: ABdhPJxCWzTmoai1hZsnAOSmpEhu3oMti16AH2dM9Cjc38rmCbSq4yE+FjTWUWXUJKlm5vAU7D3kMKHzk+97El7TTj8=
X-Received: by 2002:a25:4444:: with SMTP id r65mr16151762yba.84.1614967708501;
 Fri, 05 Mar 2021 10:08:28 -0800 (PST)
MIME-Version: 1.0
References: <20210303185807.2160264-1-surenb@google.com> <CALvZod73Uem8jzP3QQdQ6waXbx80UUOTJQS7WBwnmaCdq++8xw@mail.gmail.com>
 <CAJuCfpFgDRezmQMjCajXzBp86UbMLMJbqEaeo0_J+pneZ5XOgg@mail.gmail.com>
 <CALvZod4nZ6W05N-4ostUEz5EbCuEvuBpc4LRYfAFgwQU-wb9dQ@mail.gmail.com>
 <b45d9599-b917-10c3-6b86-6ecd8db16d43@redhat.com> <CALvZod6b8H-=N6WVrgMVLE3=pm-ELWerjAO5v5KHSH-ih337+g@mail.gmail.com>
 <c234a564-a052-b586-2a32-8580aaf8ca5d@redhat.com>
In-Reply-To: <c234a564-a052-b586-2a32-8580aaf8ca5d@redhat.com>
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 5 Mar 2021 10:08:17 -0800
Message-ID: <CAJuCfpHmks2Lxu8j0LaU+yhS3yO62=4qo=Jinr3mK0Km7yguAQ@mail.gmail.com>
Subject: Re: [PATCH v3 1/1] mm/madvise: replace ptrace attach requirement for process_madvise
To: David Hildenbrand <david@redhat.com>
Cc: Shakeel Butt <shakeelb@google.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>, 
	Jeffrey Vander Stoep <jeffv@google.com>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@suse.com>, 
	David Rientjes <rientjes@google.com>, =?UTF-8?Q?Edgar_Arriaga_Garc=C3=ADa?= <edgararriaga@google.com>, 
	Tim Murray <timmurray@google.com>, Florian Weimer <fweimer@redhat.com>, 
	Oleg Nesterov <oleg@redhat.com>, James Morris <jmorris@namei.org>, Linux MM <linux-mm@kvack.org>, 
	SElinux list <selinux@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, 
	linux-security-module <linux-security-module@vger.kernel.org>, stable <stable@vger.kernel.org>, 
	LKML <linux-kernel@vger.kernel.org>, kernel-team <kernel-team@android.com>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: d3ke8bjd1bftrmhxpycofpqmzznquf3p
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: 55CAB80192E8
Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf27; identity=mailfrom; envelope-from="<surenb@google.com>"; helo=mail-yb1-f172.google.com; client-ip=209.85.219.172
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1614967707-482298
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Mar 5, 2021 at 9:52 AM David Hildenbrand <david@redhat.com> wrote:
>
> On 05.03.21 18:45, Shakeel Butt wrote:
> > On Fri, Mar 5, 2021 at 9:37 AM David Hildenbrand <david@redhat.com> wrote:
> >>
> >> On 04.03.21 01:03, Shakeel Butt wrote:
> >>> On Wed, Mar 3, 2021 at 3:34 PM Suren Baghdasaryan <surenb@google.com> wrote:
> >>>>
> >>>> On Wed, Mar 3, 2021 at 3:17 PM Shakeel Butt <shakeelb@google.com> wrote:
> >>>>>
> >>>>> On Wed, Mar 3, 2021 at 10:58 AM Suren Baghdasaryan <surenb@google.com> wrote:
> >>>>>>
> >>>>>> process_madvise currently requires ptrace attach capability.
> >>>>>> PTRACE_MODE_ATTACH gives one process complete control over another
> >>>>>> process. It effectively removes the security boundary between the
> >>>>>> two processes (in one direction). Granting ptrace attach capability
> >>>>>> even to a system process is considered dangerous since it creates an
> >>>>>> attack surface. This severely limits the usage of this API.
> >>>>>> The operations process_madvise can perform do not affect the correctness
> >>>>>> of the operation of the target process; they only affect where the data
> >>>>>> is physically located (and therefore, how fast it can be accessed).
> >>>>>> What we want is the ability for one process to influence another process
> >>>>>> in order to optimize performance across the entire system while leaving
> >>>>>> the security boundary intact.
> >>>>>> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
> >>>>>> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
> >>>>>> and CAP_SYS_NICE for influencing process performance.
> >>>>>>
> >>>>>> Cc: stable@vger.kernel.org # 5.10+
> >>>>>> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> >>>>>> Reviewed-by: Kees Cook <keescook@chromium.org>
> >>>>>> Acked-by: Minchan Kim <minchan@kernel.org>
> >>>>>> Acked-by: David Rientjes <rientjes@google.com>
> >>>>>> ---
> >>>>>> changes in v3
> >>>>>> - Added Reviewed-by: Kees Cook <keescook@chromium.org>
> >>>>>> - Created man page for process_madvise per Andrew's request: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=a144f458bad476a3358e3a45023789cb7bb9f993
> >>>>>> - cc'ed stable@vger.kernel.org # 5.10+ per Andrew's request
> >>>>>> - cc'ed linux-security-module@vger.kernel.org per James Morris's request
> >>>>>>
> >>>>>>    mm/madvise.c | 13 ++++++++++++-
> >>>>>>    1 file changed, 12 insertions(+), 1 deletion(-)
> >>>>>>
> >>>>>> diff --git a/mm/madvise.c b/mm/madvise.c
> >>>>>> index df692d2e35d4..01fef79ac761 100644
> >>>>>> --- a/mm/madvise.c
> >>>>>> +++ b/mm/madvise.c
> >>>>>> @@ -1198,12 +1198,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
> >>>>>>                   goto release_task;
> >>>>>>           }
> >>>>>>
> >>>>>> -       mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
> >>>>>> +       /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
> >>>>>> +       mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
> >>>>>>           if (IS_ERR_OR_NULL(mm)) {
> >>>>>>                   ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
> >>>>>>                   goto release_task;
> >>>>>>           }
> >>>>>>
> >>>>>> +       /*
> >>>>>> +        * Require CAP_SYS_NICE for influencing process performance. Note that
> >>>>>> +        * only non-destructive hints are currently supported.
> >>>>>
> >>>>> How is non-destructive defined? Is MADV_DONTNEED non-destructive?
> >>>>
> >>>> Non-destructive in this context means the data is not lost and can be
> >>>> recovered. I follow the logic described in
> >>>> https://lwn.net/Articles/794704/ where Minchan was introducing
> >>>> MADV_COLD and MADV_PAGEOUT as non-destructive versions of MADV_FREE
> >>>> and MADV_DONTNEED. Following that logic, MADV_FREE and MADV_DONTNEED
> >>>> would be considered destructive hints.
> >>>> Note that process_madvise_behavior_valid() allows only MADV_COLD and
> >>>> MADV_PAGEOUT at the moment, which are both non-destructive.
> >>>>
> >>>
> >>> There is a plan to support MADV_DONTNEED for this syscall. Do we need
> >>> to change these access checks again with that support?
> >>
> >> Eh, I absolutely don't think letting another process discard memory in
> >> another process' address space is a good idea. The target process can
> >> observe that easily and might even run into real issues.
> >>
> >> What's the use case?
> >>
> >
> > Userspace oom reaper. Please look at
> > https://lore.kernel.org/linux-api/20201014183943.GA1489464@google.com/T/
> >
>
> Thanks, somehow I missed that (not that it really changed my opinion on
> the approach while skimming over the discussion :) will have a more
> detailed look)

The latest version of that patchset is:
https://lore.kernel.org/patchwork/patch/1344419/
Yeah, memory reaping is a special case when we are operating on a
dying process to speed up the release of its memory. I don't know if
for that particular case we need to make the checks stricter. It's a
dying process anyway and the data is being destroyed. Allowing to
speed up that process probably can still use CAP_SYS_NICE.

>
> --
> Thanks,
>
> David / dhildenb
>