Re: [PATCH v4 3/5] mm, security: Add lsm hook for memory policy adjustment

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Yafang Shao <laoar.shao@gmail.com>,
	akpm@linux-foundation.org, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, omosnace@redhat.com,
	mhocko@suse.com, ying.huang@intel.com
Cc: linux-mm@kvack.org, linux-security-module@vger.kernel.org,
	bpf@vger.kernel.org, ligang.bdlg@bytedance.com,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v4 3/5] mm, security: Add lsm hook for memory policy adjustment
Date: Fri, 8 Dec 2023 09:30:29 -0800	[thread overview]
Message-ID: <d049f5a1-29ac-4fd9-95b2-45d5fd5ecae5@schaufler-ca.com> (raw)
In-Reply-To: <20231208090622.4309-4-laoar.shao@gmail.com>

On 12/8/2023 1:06 AM, Yafang Shao wrote:
> In a containerized environment, independent memory binding by a user can
> lead to unexpected system issues or disrupt tasks being run by other users
> on the same server. If a user genuinely requires memory binding, we will
> allocate dedicated servers to them by leveraging kubelet deployment.
>
> At present, users have the capability to bind their memory to a specific
> node without explicit agreement or authorization from us. Consequently, a
> new LSM hook is introduced to mitigate this. This implementation allows us
> to exercise fine-grained control over memory policy adjustments within our
> container environment

I wonder if security_vm_enough_memory() ought to be reimplemented as
an option to security_set_mempolicy(). I'm not convinced either way,
but I can argue both. 

> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>  include/linux/lsm_hook_defs.h |  3 +++
>  include/linux/security.h      |  9 +++++++++
>  mm/mempolicy.c                |  8 ++++++++
>  security/security.c           | 13 +++++++++++++
>  4 files changed, 33 insertions(+)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index ff217a5..5580127 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -419,3 +419,6 @@
>  LSM_HOOK(int, 0, uring_sqpoll, void)
>  LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
>  #endif /* CONFIG_IO_URING */
> +
> +LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags,
> +	 nodemask_t *nmask, unsigned int flags)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 1d1df326..cc4a19a 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -484,6 +484,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
>  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
>  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
>  int security_locked_down(enum lockdown_reason what);
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +			   nodemask_t *nmask, unsigned int flags);
>  #else /* CONFIG_SECURITY */
>  
>  static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what)
>  {
>  	return 0;
>  }
> +
> +static inline int
> +security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +		       nodemask_t *nmask, unsigned int flags)
> +{
> +	return 0;
> +}
>  #endif	/* CONFIG_SECURITY */
>  
>  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 10a590e..9535d9e 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1483,6 +1483,10 @@ static long kernel_mbind(unsigned long start, unsigned long len,
>  	if (err)
>  		return err;
>  
> +	err = security_set_mempolicy(lmode, mode_flags, &nodes, flags);
> +	if (err)
> +		return err;
> +
>  	return do_mbind(start, len, lmode, mode_flags, &nodes, flags);
>  }
>  
> @@ -1577,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
>  	if (err)
>  		return err;
>  
> +	err = security_set_mempolicy(lmode, mode_flags, &nodes, 0);
> +	if (err)
> +		return err;
> +
>  	return do_set_mempolicy(lmode, mode_flags, &nodes);
>  }
>  
> diff --git a/security/security.c b/security/security.c
> index dcb3e70..685ad79 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
>  	return call_int_hook(uring_cmd, 0, ioucmd);
>  }
>  #endif /* CONFIG_IO_URING */
> +
> +/**
> + * security_set_mempolicy() - Check if memory policy can be adjusted
> + * @mode: The memory policy mode to be set
> + * @mode_flags: optional mode flags
> + * @nmask: modemask to which the mode applies
> + * @flags: mode flags for mbind(2) only
> + */
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +			   nodemask_t *nmask, unsigned int flags)
> +{
> +	return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags);
> +}

next      parent reply	other threads:[~2023-12-08 17:30 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20231208090622.4309-1-laoar.shao@gmail.com>
     [not found] ` <20231208090622.4309-4-laoar.shao@gmail.com>
2023-12-08 17:30   ` Casey Schaufler [this message]
2023-12-10  2:54     ` Yafang Shao
     [not found] ` <20231208090622.4309-6-laoar.shao@gmail.com>
2023-12-12 19:22   ` [PATCH v4 5/5] selftests/bpf: Add selftests for set_mempolicy with a lsm prog KP Singh
2023-12-13  3:08     ` Yafang Shao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d049f5a1-29ac-4fd9-95b2-45d5fd5ecae5@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=akpm@linux-foundation.org \
    --cc=bpf@vger.kernel.org \
    --cc=jmorris@namei.org \
    --cc=laoar.shao@gmail.com \
    --cc=ligang.bdlg@bytedance.com \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mhocko@suse.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=ying.huang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox