From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=UbJL=ID=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-28.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BFBF8C433DB
	for <linux-mm@archiver.kernel.org>; Fri,  5 Mar 2021 17:45:23 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 60C0D650A3
	for <linux-mm@archiver.kernel.org>; Fri,  5 Mar 2021 17:45:23 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 60C0D650A3
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id D7A8F6B006E; Fri,  5 Mar 2021 12:45:22 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D2A056B0070; Fri,  5 Mar 2021 12:45:22 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BA3E96B0071; Fri,  5 Mar 2021 12:45:22 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0116.hostedemail.com [216.40.44.116])
	by kanga.kvack.org (Postfix) with ESMTP id 981C46B006E
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 12:45:22 -0500 (EST)
Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 524701DEF
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 17:45:22 +0000 (UTC)
X-FDA: 77886547284.21.86A9704
Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174])
	by imf15.hostedemail.com (Postfix) with ESMTP id 3811BA0009FB
	for <linux-mm@kvack.org>; Fri,  5 Mar 2021 17:45:21 +0000 (UTC)
Received: by mail-lj1-f174.google.com with SMTP id a17so3838630ljq.2
        for <linux-mm@kvack.org>; Fri, 05 Mar 2021 09:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=fjmoW72/ku1lnLXMuAm6ZbrP9WWp23FQh9M1c5WKSl8=;
        b=A9upIdY3NrsolQX2lFBy06Za+fmkomHdOwQcUyiHv6xHc7YqCQkQn8C6s0QHzCTaev
         SPR5qphZ57qK3qBIyHtSjH7FuFLszlLhqzw1qfcJhyzvX40a4/NJhPfKIvpxqznGT893
         DRtYpo3aDFSUVvdgLQxmy+u29XYt2x56ELWBlMwArbOh3mRWENcJlAdQXEzeRInYX4Dj
         8eSHEoYHoj08rC2K0VG4xfUTeh8kxNYHZZVMA08IIc5dA/y4QPSpteJOU1GAgKZG4bCt
         ryJoO/evucYsYRC1Tic8ime0iJWw/SzNmpqAA9Zadn9IUvBgXQcNW2l5TBAXTeQPZyL7
         FDRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=fjmoW72/ku1lnLXMuAm6ZbrP9WWp23FQh9M1c5WKSl8=;
        b=fC8bPMNfv9zARCAzyeQmIAFNBI3wJ6ZlDaa6TbDjE8AwLdO9bm3oRz1xvIs52AwiTg
         lOKS0vzcwYqp/A91TdfjT71/0TZVimcVR9aWstU01+Q8JJHQfnsHPSmlH5WDepatAAFU
         sYQZD8zKYMrbZrleCdHzDDIDKdLs9GUyuzkLMaHkenLk3f4ztwi01pBzdODoumVJpejG
         xD+JyWOIJLPZrBUMRhDfFTWNuG7wE64ZPgbNmh0ZtkMZ3/7rwKrbr8zy6Vdn0OJ7hFLR
         zuclQMY5dOI/SlB5CqhdDFdqOxMErSjw+4wjOkAnv0t1EfwZL6hX9fxtCE1NOvk+NUUW
         6nOA==
X-Gm-Message-State: AOAM532MDvQxg6ZX3ap/dKnuTTgSVpsLbq+vfOqmitBS+kvP/CK8+ZxC
	5Qi9dj2R3NaVJVjqJ6dMWsvt7MEWgBgZ0iQJPuOUyA==
X-Google-Smtp-Source: ABdhPJyK/dVc1k+/qBKUx8d5GEaTi/dVKzYSI4dp4RHRGb8oEpa+bUgfpktgJn4unjvrnTrj45o6DabtPYORirmP6Rw=
X-Received: by 2002:a2e:9195:: with SMTP id f21mr5616413ljg.160.1614966319338;
 Fri, 05 Mar 2021 09:45:19 -0800 (PST)
MIME-Version: 1.0
References: <20210303185807.2160264-1-surenb@google.com> <CALvZod73Uem8jzP3QQdQ6waXbx80UUOTJQS7WBwnmaCdq++8xw@mail.gmail.com>
 <CAJuCfpFgDRezmQMjCajXzBp86UbMLMJbqEaeo0_J+pneZ5XOgg@mail.gmail.com>
 <CALvZod4nZ6W05N-4ostUEz5EbCuEvuBpc4LRYfAFgwQU-wb9dQ@mail.gmail.com> <b45d9599-b917-10c3-6b86-6ecd8db16d43@redhat.com>
In-Reply-To: <b45d9599-b917-10c3-6b86-6ecd8db16d43@redhat.com>
From: Shakeel Butt <shakeelb@google.com>
Date: Fri, 5 Mar 2021 09:45:07 -0800
Message-ID: <CALvZod6b8H-=N6WVrgMVLE3=pm-ELWerjAO5v5KHSH-ih337+g@mail.gmail.com>
Subject: Re: [PATCH v3 1/1] mm/madvise: replace ptrace attach requirement for process_madvise
To: David Hildenbrand <david@redhat.com>
Cc: Suren Baghdasaryan <surenb@google.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>, 
	Jeffrey Vander Stoep <jeffv@google.com>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@suse.com>, 
	David Rientjes <rientjes@google.com>, =?UTF-8?Q?Edgar_Arriaga_Garc=C3=ADa?= <edgararriaga@google.com>, 
	Tim Murray <timmurray@google.com>, Florian Weimer <fweimer@redhat.com>, 
	Oleg Nesterov <oleg@redhat.com>, James Morris <jmorris@namei.org>, Linux MM <linux-mm@kvack.org>, 
	SElinux list <selinux@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, 
	linux-security-module <linux-security-module@vger.kernel.org>, stable <stable@vger.kernel.org>, 
	LKML <linux-kernel@vger.kernel.org>, kernel-team <kernel-team@android.com>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 3811BA0009FB
X-Stat-Signature: rk189brzjrfdkqb658sc8uisyckx83ib
Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf15; identity=mailfrom; envelope-from="<shakeelb@google.com>"; helo=mail-lj1-f174.google.com; client-ip=209.85.208.174
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1614966321-912554
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Mar 5, 2021 at 9:37 AM David Hildenbrand <david@redhat.com> wrote:
>
> On 04.03.21 01:03, Shakeel Butt wrote:
> > On Wed, Mar 3, 2021 at 3:34 PM Suren Baghdasaryan <surenb@google.com> wrote:
> >>
> >> On Wed, Mar 3, 2021 at 3:17 PM Shakeel Butt <shakeelb@google.com> wrote:
> >>>
> >>> On Wed, Mar 3, 2021 at 10:58 AM Suren Baghdasaryan <surenb@google.com> wrote:
> >>>>
> >>>> process_madvise currently requires ptrace attach capability.
> >>>> PTRACE_MODE_ATTACH gives one process complete control over another
> >>>> process. It effectively removes the security boundary between the
> >>>> two processes (in one direction). Granting ptrace attach capability
> >>>> even to a system process is considered dangerous since it creates an
> >>>> attack surface. This severely limits the usage of this API.
> >>>> The operations process_madvise can perform do not affect the correctness
> >>>> of the operation of the target process; they only affect where the data
> >>>> is physically located (and therefore, how fast it can be accessed).
> >>>> What we want is the ability for one process to influence another process
> >>>> in order to optimize performance across the entire system while leaving
> >>>> the security boundary intact.
> >>>> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
> >>>> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
> >>>> and CAP_SYS_NICE for influencing process performance.
> >>>>
> >>>> Cc: stable@vger.kernel.org # 5.10+
> >>>> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> >>>> Reviewed-by: Kees Cook <keescook@chromium.org>
> >>>> Acked-by: Minchan Kim <minchan@kernel.org>
> >>>> Acked-by: David Rientjes <rientjes@google.com>
> >>>> ---
> >>>> changes in v3
> >>>> - Added Reviewed-by: Kees Cook <keescook@chromium.org>
> >>>> - Created man page for process_madvise per Andrew's request: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=a144f458bad476a3358e3a45023789cb7bb9f993
> >>>> - cc'ed stable@vger.kernel.org # 5.10+ per Andrew's request
> >>>> - cc'ed linux-security-module@vger.kernel.org per James Morris's request
> >>>>
> >>>>   mm/madvise.c | 13 ++++++++++++-
> >>>>   1 file changed, 12 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/mm/madvise.c b/mm/madvise.c
> >>>> index df692d2e35d4..01fef79ac761 100644
> >>>> --- a/mm/madvise.c
> >>>> +++ b/mm/madvise.c
> >>>> @@ -1198,12 +1198,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
> >>>>                  goto release_task;
> >>>>          }
> >>>>
> >>>> -       mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
> >>>> +       /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
> >>>> +       mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
> >>>>          if (IS_ERR_OR_NULL(mm)) {
> >>>>                  ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
> >>>>                  goto release_task;
> >>>>          }
> >>>>
> >>>> +       /*
> >>>> +        * Require CAP_SYS_NICE for influencing process performance. Note that
> >>>> +        * only non-destructive hints are currently supported.
> >>>
> >>> How is non-destructive defined? Is MADV_DONTNEED non-destructive?
> >>
> >> Non-destructive in this context means the data is not lost and can be
> >> recovered. I follow the logic described in
> >> https://lwn.net/Articles/794704/ where Minchan was introducing
> >> MADV_COLD and MADV_PAGEOUT as non-destructive versions of MADV_FREE
> >> and MADV_DONTNEED. Following that logic, MADV_FREE and MADV_DONTNEED
> >> would be considered destructive hints.
> >> Note that process_madvise_behavior_valid() allows only MADV_COLD and
> >> MADV_PAGEOUT at the moment, which are both non-destructive.
> >>
> >
> > There is a plan to support MADV_DONTNEED for this syscall. Do we need
> > to change these access checks again with that support?
>
> Eh, I absolutely don't think letting another process discard memory in
> another process' address space is a good idea. The target process can
> observe that easily and might even run into real issues.
>
> What's the use case?
>

Userspace oom reaper. Please look at
https://lore.kernel.org/linux-api/20201014183943.GA1489464@google.com/T/