From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 307FEC4345F
	for <linux-mm@archiver.kernel.org>; Thu, 25 Apr 2024 21:46:03 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B7EB06B008C; Thu, 25 Apr 2024 17:46:02 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B059F6B0092; Thu, 25 Apr 2024 17:46:02 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9A6306B0098; Thu, 25 Apr 2024 17:46:02 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 7C04D6B008C
	for <linux-mm@kvack.org>; Thu, 25 Apr 2024 17:46:02 -0400 (EDT)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 3084A1A05FB
	for <linux-mm@kvack.org>; Thu, 25 Apr 2024 21:46:02 +0000 (UTC)
X-FDA: 82049387364.25.13D592B
Received: from out-186.mta0.migadu.com (out-186.mta0.migadu.com [91.218.175.186])
	by imf06.hostedemail.com (Postfix) with ESMTP id 4BA3B18001E
	for <linux-mm@kvack.org>; Thu, 25 Apr 2024 21:46:00 +0000 (UTC)
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=linux.dev header.s=key1 header.b="PavWTYF/";
	spf=pass (imf06.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.186 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev;
	dmarc=pass (policy=none) header.from=linux.dev
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1714081560;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=gojPkHBBYhfHH8Nts+6nokM2SWbYB22brKZh/DHHIWE=;
	b=W+ZCUpoDR0IBwCNEC5JTy+6q3iY+a9dX6A5mpS1djwM5tzwPNqACS4FvuBVLNkMkzg7WQb
	8YZgrd5Ms6J60C4KZZxiemFoarDm2rgKSdgrcdCaAcmMW+Rdpc8KqAybychFEeqXQpruAg
	lvTNlpgBBhn5seq7xz5fSy/vD01HeBQ=
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=linux.dev header.s=key1 header.b="PavWTYF/";
	spf=pass (imf06.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.186 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev;
	dmarc=pass (policy=none) header.from=linux.dev
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1714081560; a=rsa-sha256;
	cv=none;
	b=u9jhgX8hqlch9FTgpM3GYaYf8E52aZ6Bjv+KReGFw62U6OTIzF57S+lxlMH0UEzXqEzdjZ
	JzN1J0a4UY4clevUEI68SHQVLWs502StViVJEpuWmJWHwaUusBPg8NzuDHaR2uJuZqwW20
	8OXgdoItIOfAMNr0+Hs77TGasUOlmpM=
Date: Thu, 25 Apr 2024 17:45:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1714081558;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=gojPkHBBYhfHH8Nts+6nokM2SWbYB22brKZh/DHHIWE=;
	b=PavWTYF/BaxN61KWH2/AES+ibnfiGZEFab/vTL8xZJh4inSYbsdS4D8BIpDB4y1NRB/TQ2
	qbc6t3H9XE3U6iQpkk2BMJBapBCZhS5AKlUXHIV2FNN149deSIr+RKOR3CphAyoKnBU919
	Qv4iJoYjMF7lsOdNXYtabCbRyEgx/vA=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Kent Overstreet <kent.overstreet@linux.dev>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>, 
	Matthew Wilcox <willy@infradead.org>, Kees Cook <keescook@chromium.org>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo
Message-ID: <lu7r7gbk6q75sdohh7sqlcfftbmuskluedpi2a7tzqwdywhj3b@vpwqhsy4o4ca>
References: <20240425200844.work.184-kees@kernel.org>
 <w6nbxvxt3itugrvtcvnayj5ducoxifwbffd7qh6vcastw77mse@2ugphwusgttz>
 <ZirCbPR1XwX2WJSX@casper.infradead.org>
 <64cngpnwyav4odustofs6hgsh7htpc5nu23tx4lb3vxaltmqf2@sxn63f2gg4gu>
 <CAJuCfpGiRFAOp-aqpVk6GRpG=4LEF3XyuV_LijzwDYRHKqHWWg@mail.gmail.com>
 <20240425143842.fe54147e4073c7d5e8b48d7b@linux-foundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240425143842.fe54147e4073c7d5e8b48d7b@linux-foundation.org>
X-Migadu-Flow: FLOW_OUT
X-Stat-Signature: s845hnx5wwme5ig3m8kbchbcpycfc5ct
X-Rspamd-Queue-Id: 4BA3B18001E
X-Rspamd-Server: rspam02
X-Rspam-User: 
X-HE-Tag: 1714081560-581913
X-HE-Meta: U2FsdGVkX19cVzdGAxpnozO458RRj6k354x/LT3GDyBYZC7+8AAPK0oP5rH6n9PXIa+w0ieWl2Z5JLaQij3Mg2sSvQtgC7nNBGkPAE+TSC+lzCxTbQaingK5c3N8c9e+P80qwi4hVeVJP3aNpaC0zHoPNO9plA7c5BAQA78CUZnL+HEIJb6ZRq+mY8HCKVwrfXqpBri9tlGDnvneGWeKRNa9CCrdw1KvBWrqIzUqxXeeOkeiqmHPqZ8IaTDdZbxb5462mvkTHA64PTJ9wSZ7MhVncidODiI2SFI7dWVKV81xisL6bZ19wZ3JifxGIskqn+QQFcDQS3kZiJG0scB0eJAamExj9bCtilfKCXOxiilR7qL0bkDorqCRfPjfuUzpy22JjyHqUN0cQf4H8sMDqxLXue+Vf0M/Sr38ADtW0H4maK6uZum5cdWQBTlvadXTWUzivPJFkuSDN82CtkFSMuqxnj9lLflKnYYlRTJivEB6265gnYQA38+7zuwWQ09R+QUef6NFuM9T6JeUj3Nu6VNScA9dG77tDgQ5YVAPZCblLOW2GofkJgIxXGE0vVOD8R3WqCA6mzym7H3c9qkjYyqSxJUhLSU1YxGRxx3Oz4fpAtoo91wh32AZ4SIxcm35luiRrONJyClZdZXhi9xpM78Ma8uup6haQdnyDPDs+7Eob0JZPb3VGtDs/HeuYnZtRbmYf4Fu5+4mJUNsft8bHNQlcVxFVUMU2lDtm4kN3nzgfZPZiK/onfDYCsbkmENFBzHrlR1ip8y0p3HHjJLBHR0J4XDnW1xLoF6fkw9p3SGkFC5CPkBHeFM1MHX5kTQ62n05uIRzFQbItCOMbdK1yhfmvge9w7CcJrgCup9opokuRyLzlUOaxXMpbSMKxVTiBW7MLNMQ2X3LExG87XFRuVe+97Mx+54Es//Fksd7JOrzoZctuHwU9eYbC3rtM3eSko+i/loX+u8gLTAzQ8d
 D6Y3TawO
 2ZARSvf/Kqv9/DY87TRcJWeMSenfrxSArK1DfB6/6zTQKjumi9CRwUMyeFo2pNIrsT/SKL/qEsnWrD80gI4bbqZtmzL2rjjVcH1x4ig93y6p0wwyZyMyYs9DxX2SQb2LY5MRk/xLifBI8HlcpG552nIWE3LX0uF5S3B6H
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Apr 25, 2024 at 02:38:42PM -0700, Andrew Morton wrote:
> On Thu, 25 Apr 2024 14:21:39 -0700 Suren Baghdasaryan <surenb@google.com> wrote:
> 
> > > > > The side effect of locking down more and more reporting interfaces is
> > > > > that programs that consume those interfaces now have to run as root.
> > > >
> > > > sudo cat /proc/allocinfo | analyse-that-fie
> > >
> > > Even that is still an annoyance, but I'm thinking more about a future
> > > daemon to collect this every n seconds - that really shouldn't need to
> > > be root.
> > 
> > Yeah, that would preclude some nice usecases. Could we maybe use
> > CAP_SYS_ADMIN checks instead? That way we can still use it from a
> > non-root process?
> 
> I'm inclined to keep Kees's 0400.  Yes it's a hassle but security is
> always a hassle.  Let's not make Linux less secure, especially for
> people who aren't even using /proc/allocinfo.

That's a bit too trite; we've seen often enough that putting security
above all other concerns leads to worse outcomes in the long run; impair
usability too much and you're just causing more problems than you solve.

We need to take a balanced approach, like with everything else we do.

I'd really like to hear from Kees why pre-sorting the output so we aren't
leaking kernel image details wouldn't be sufficient.