Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752837AbdHJRBu (ORCPT ); Thu, 10 Aug 2017 13:01:50 -0400 Received: from mx2.suse.de ([195.135.220.15]:38742 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752316AbdHJRBs (ORCPT ); Thu, 10 Aug 2017 13:01:48 -0400 Date: Thu, 10 Aug 2017 19:01:44 +0200 From: Michal Hocko To: Colm =?iso-8859-1?Q?MacC=E1rthaigh?= Cc: Florian Weimer , Kees Cook , Mike Kravetz , Rik van Riel , Will Drewry , akpm@linux-foundation.org, dave.hansen@intel.com, kirill@shutemov.name, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, luto@amacapital.net, mingo@kernel.org Subject: Re: [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK Message-ID: <20170810170144.GA987@dhcp22.suse.cz> References: <20170806140425.20937-1-riel@redhat.com> <20170807132257.GH32434@dhcp22.suse.cz> <20170807134648.GI32434@dhcp22.suse.cz> <1502117991.6577.13.camel@redhat.com> <20170810130531.GS23863@dhcp22.suse.cz> <20170810153639.GB23863@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2114 Lines: 46 On Thu 10-08-17 16:17:18, Colm MacCárthaigh wrote: > On Déar 10 Lún 2017 at 17:36 Michal Hocko wrote: > > > On Thu 10-08-17 15:23:05, Colm MacCįrthaigh wrote: > > > On Thu, Aug 10, 2017 at 3:05 PM, Michal Hocko wrote: > > > >> Too late for that. VM_DONTFORK is already implemented > > > >> through MADV_DONTFORK & MADV_DOFORK, in a way that is > > > >> very similar to the MADV_WIPEONFORK from these patches. > > > > > > > > Yeah, those two seem to be breaking the "madvise as an advise" > > semantic as > > > > well but that doesn't mean we should follow that pattern any further. > > > > > > I would imagine that many of the crypto applications using > > > MADV_WIPEONFORK will also be using MADV_DONTDUMP. In cases where it's > > > for protecting secret keys, I'd like to use both in my code, for > > > example. Though that doesn't really help decide this. > > > > > > There is also at least one case for being able to turn WIPEONFORK > > > on/off with an existing page; a process that uses privilege separation > > > often goes through the following flow: > > > > > > 1. [ Access privileged keys as a power user and initialize memory ] > > > 2. [ Fork a child process that actually does the work ] > > > 3. [ Child drops privileges and uses the memory to do work ] > > > 4. [ Parent hangs around to re-spawn a child if it crashes ] > > > > > > In that mode it would be convenient to be able to mark the memory as > > > WIPEONFORK in the child, but not the parent. > > > > I am not sure I understand. The child will have an own VMA so chaging > > the attribute will not affect parent. Or did I misunderstand your > > example? > > > > Typically with privilege separation the parent has to share some minimal > state with the child. In this case that's why the page is left alone. > Though a smart parent could unset and set just immediately around the fork. > > The point then of protecting it in the child is to ensure that a grandchild > doesn't inherit the secret data. Does anybody actually do that using the minherit BSD interface? -- Michal Hocko SUSE Labs