From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5C135C00140
	for <linux-mm@archiver.kernel.org>; Tue,  2 Aug 2022 09:09:36 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DFB836B0073; Tue,  2 Aug 2022 05:09:35 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D82BB6B0072; Tue,  2 Aug 2022 05:09:35 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BFD9B8E0001; Tue,  2 Aug 2022 05:09:35 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id AA2586B0071
	for <linux-mm@kvack.org>; Tue,  2 Aug 2022 05:09:35 -0400 (EDT)
Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id 81B1F8024F
	for <linux-mm@kvack.org>; Tue,  2 Aug 2022 09:09:35 +0000 (UTC)
X-FDA: 79754079510.20.B1A4A56
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
	by imf06.hostedemail.com (Postfix) with ESMTP id E94C41800FA
	for <linux-mm@kvack.org>; Tue,  2 Aug 2022 09:09:34 +0000 (UTC)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id B730920585;
	Tue,  2 Aug 2022 09:09:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1659431373; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=UkyokZQiUGgS32T7RwX35cBkz6mpMRTZP71cJgaHl4k=;
	b=Bo7QfQt+FRw8GdAAowDqF5VitqqIwho89C+bfVzIEQpdEWQPxx5OvhU0d8iosWLLlXjQNt
	RN0v9VuCXrIG2/Aq3Kk24+Nqwly+MNLV3aWqAV4dlod5SwLgri5HraJyEmYM+/WvpJMFgP
	NRXcxqDlf3us08MYrOB/WwAIWdr98PY=
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
	(No client certificate requested)
	by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 8AEF61345B;
	Tue,  2 Aug 2022 09:09:33 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
	by imap2.suse-dmz.suse.de with ESMTPSA
	id X37/IM3p6GKdXwAAMHmgww
	(envelope-from <mhocko@suse.com>); Tue, 02 Aug 2022 09:09:33 +0000
Date: Tue, 2 Aug 2022 11:09:32 +0200
From: Michal Hocko <mhocko@suse.com>
To: Zach O'Keefe <zokeefe@google.com>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
	Axel Rasmussen <axelrasmussen@google.com>,
	James Houghton <jthoughton@google.com>,
	Hugh Dickins <hughd@google.com>, Yang Shi <shy828301@gmail.com>,
	Miaohe Lin <linmiaohe@huawei.com>,
	David Hildenbrand <david@redhat.com>,
	David Rientjes <rientjes@google.com>,
	Matthew Wilcox <willy@infradead.org>,
	Pasha Tatashin <pasha.tatashin@soleen.com>,
	Peter Xu <peterx@redhat.com>,
	Rongwei Wang <rongwei.wang@linux.alibaba.com>,
	SeongJae Park <sj@kernel.org>, Song Liu <songliubraving@fb.com>,
	Vlastimil Babka <vbabka@suse.cz>, Zi Yan <ziy@nvidia.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Arnd Bergmann <arnd@arndb.de>,
	Chris Kennelly <ckennelly@google.com>,
	Chris Zankel <chris@zankel.net>, Helge Deller <deller@gmx.de>,
	Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
	"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
	Jens Axboe <axboe@kernel.dk>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Matt Turner <mattst88@gmail.com>, Max Filippov <jcmvbkbc@gmail.com>,
	Minchan Kim <minchan@kernel.org>, Patrick Xia <patrickx@google.com>,
	Pavel Begunkov <asml.silence@gmail.com>,
	Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Subject: Re: [PATCH mm-unstable] mm/madvise: remove CAP_SYS_ADMIN requirement
 for process_madvise(MADV_COLLAPSE)
Message-ID: <YujpzGKImMQsn8SM@dhcp22.suse.cz>
References: <20220801210946.3069083-1-zokeefe@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220801210946.3069083-1-zokeefe@google.com>
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=suse.com header.s=susede1 header.b=Bo7QfQt+;
	spf=pass (imf06.hostedemail.com: domain of mhocko@suse.com designates 195.135.220.29 as permitted sender) smtp.mailfrom=mhocko@suse.com;
	dmarc=pass (policy=quarantine) header.from=suse.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659431375; a=rsa-sha256;
	cv=none;
	b=qtMTlb2B3PTgsAJ0DvqhFlzl4FvGeNQNpD4xspZmWh5MTre4QkCUyLYYPPwXKaJgBXX6ci
	CB+RC2kTXmLphfxwdWNT1EvT0fBPaFx0f10oQpA/FhQKobI+pgl6pMbV3mCdpTu1OcCVho
	e5WjfJ94cB4JtkdxagNKOXHOXoZvTVY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1659431375;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=UkyokZQiUGgS32T7RwX35cBkz6mpMRTZP71cJgaHl4k=;
	b=tIK2nRzfIVIuB1m9l4TIo6euFsYDo6X1vwrWiS+WCjqwmRPezcLYyMBiTMJBizHDSwb15J
	bGjwF7wy8MKOixn0nyrKO9HvdujuE1ln0ZZG8f+rD3JikyqZjLpFy1vtqP9WmlFaXlTRUH
	52VcgFRctdCPBsvyepoaacmjCKBSt1E=
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=suse.com header.s=susede1 header.b=Bo7QfQt+;
	spf=pass (imf06.hostedemail.com: domain of mhocko@suse.com designates 195.135.220.29 as permitted sender) smtp.mailfrom=mhocko@suse.com;
	dmarc=pass (policy=quarantine) header.from=suse.com
X-Stat-Signature: rudzyhk1yuonetwbz3z5t7soc8qwxp47
X-Rspamd-Queue-Id: E94C41800FA
X-Rspam-User: 
X-Rspamd-Server: rspam07
X-HE-Tag: 1659431374-644878
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Hasn't this been discussed during the MADV_COLLAPSE submission? What has
changed? Does this need more time to settle with the consensus?

On Mon 01-08-22 14:09:46, Zach O'Keefe wrote:
> process_madvise(MADV_COLLAPSE) currently requires CAP_SYS_ADMIN when not
> acting on the caller's own mm.  This is maximally restrictive, and
> perpetuates existing issues with CAP_SYS_ADMIN.  Remove this requirement.
> 
> When acting on an external process' memory, the biggest concerns for
> process_madvise(MADV_COLLAPSE) are (1) being able to influence process
> performance by moving memory, possibly between nodes, that is mapped
> into the address space of external process(es), (2) defeat of
> address-space-layout randomization, and (3), being able to increase
> process RSS and memcg usage, possibly causing memcg OOM.
> 
> process_madvise(2) already enforces CAP_SYS_NICE and PTRACE_MODE_READ (in
> PTRACE_MODE_FSCREDS mode).  A process with these credentials can already
> accomplish (1) and (2) via move_pages(MPOL_MF_MOVE_ALL), and (3) via
> process_madvise(MADV_WILLNEED).
> 
> process_madvise(MADV_COLLAPSE) may also circumvent sysfs THP settings.
> When acting on one's own memory (which is equivalent to
> madvise(MADV_COLLAPSE)), this is deemed acceptable, since aside from the
> possibility of hoarding available hugepages (which is currently already
> possible) no harm to the system can be done.  When acting on an external
> process' memory, circumventing sysfs THP settings should provide no
> additional threat compared to the ones listed.  As such, imposing
> additional capabilities (such as CAP_SETUID, as a way to ensure the
> caller could have just altered the sysfs THP settings themselves)
> provides no extra protection.
> 
> Fixes: 7ec952341312 ("mm/madvise: add MADV_COLLAPSE to process_madvise()")
> Signed-off-by: Zach O'Keefe <zokeefe@google.com>
> ---
>  mm/madvise.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)
> 
> diff --git a/mm/madvise.c b/mm/madvise.c
> index f9e11b6c9916..af97100a0727 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1170,16 +1170,14 @@ madvise_behavior_valid(int behavior)
>  	}
>  }
>  
> -static bool
> -process_madvise_behavior_valid(int behavior, struct task_struct *task)
> +static bool process_madvise_behavior_valid(int behavior)
>  {
>  	switch (behavior) {
>  	case MADV_COLD:
>  	case MADV_PAGEOUT:
>  	case MADV_WILLNEED:
> -		return true;
>  	case MADV_COLLAPSE:
> -		return task == current || capable(CAP_SYS_ADMIN);
> +		return true;
>  	default:
>  		return false;
>  	}
> @@ -1457,7 +1455,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
>  		goto free_iov;
>  	}
>  
> -	if (!process_madvise_behavior_valid(behavior, task)) {
> +	if (!process_madvise_behavior_valid(behavior)) {
>  		ret = -EINVAL;
>  		goto release_task;
>  	}
> -- 
> 2.37.1.455.g008518b4e5-goog

-- 
Michal Hocko
SUSE Labs