Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1984147imu;
        Sat, 5 Jan 2019 11:26:33 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6lsVVYVUKx1Of3uM1xjL35EKbUoo3XOZ5vi+0JAdeXtL0gdB+eTbc8RlUKWcxNKcwCp4OX
X-Received: by 2002:a63:7d06:: with SMTP id y6mr5650330pgc.171.1546716393370;
        Sat, 05 Jan 2019 11:26:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546716393; cv=none;
        d=google.com; s=arc-20160816;
        b=VN/81/bZUiX0IktbTPjqbI9BOTKswMfuVTrUGLMnfXVxGR7cS3SHGEyOdk8Em9YRKp
         P5A3itC7c5kQA8vw6zR5hPx1WhtXfmRaqDNFp8wChqn0OEYfDagY4RPCMvuSHlxcLh2b
         CqvBfDzQOtAey+4oGVHOy//E7HMVO80jYk10wQZuJ1zHd1SD7oDjzfMBVPuxrqDrXBC7
         yVKXcc77QlCai6M44CKL5pb1+H5zeuwGm92iI/yRqoKQO53MNxSCcnvB8e7mE/eGHPta
         pUn1BVjhpM/b8gjnBgeTFChDfmk6BtPsP+TKjDOSgRUxsxjBIusr170udb9Vu8j1NRFs
         93Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=jJ+jGacXZo4Ybr8s5P1KbEwvFpRSHBMbVRnJ1VTbiqQ=;
        b=rpe5ZmemQPpBVNxQJmfZPobfv87D1lwha5Sb4SehXQuA12HvA4D+KdFLnPFZq55qbM
         cNDumfOEFCx8fdp7IZ8Y6Get7juYNjTtkPAJFnytZcfLuY+ErT6Y6Dk9pADre3lyj9lY
         wlYj1PJsyxV0Y/3Xebjhc9bnc2Fx6rwrmOOfDGCMRPoqilfMTCTn2nexb2pRs9WjW2Yw
         WexsQa8nc+qINEGu7Tki5kBB9qWq0CjW5ZbL/RV6YhnA6VLf0k0i0OQ/PGaIHo76tauE
         3eSfihmhiq+oEgf6l8URo2Nm9cSPUFK1Joue1vmk1Tt05KEiU+Ghk9FOSdKJT1p3FTA1
         Aomg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g5si12598494plt.273.2019.01.05.11.26.17;
        Sat, 05 Jan 2019 11:26:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726295AbfAETYF (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Sat, 5 Jan 2019 14:24:05 -0500
Received: from mx2.suse.de ([195.135.220.15]:33462 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726262AbfAETYF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 5 Jan 2019 14:24:05 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 0A0CAACE8;
        Sat,  5 Jan 2019 19:24:04 +0000 (UTC)
Date:   Sat, 5 Jan 2019 20:24:03 +0100 (CET)
From:   Jiri Kosina <jikos@kernel.org>
To:     Vlastimil Babka <vbabka@suse.cz>
cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Michal Hocko <mhocko@suse.com>, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, linux-api@vger.kernel.org
Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged
In-Reply-To: <d4846cb2-2a4b-b8b3-daac-e5f51751bbf1@suse.cz>
Message-ID: <nycvar.YFH.7.76.1901052016250.16954@cbobk.fhfr.pm>
References: <nycvar.YFH.7.76.1901051817390.16954@cbobk.fhfr.pm> <d4846cb2-2a4b-b8b3-daac-e5f51751bbf1@suse.cz>
User-Agent: Alpine 2.21 (LSU 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 5 Jan 2019, Vlastimil Babka wrote:

> > There are possibilities [1] how mincore() could be used as a converyor of 
> > a sidechannel information about pagecache metadata.
> > 
> > Provide vm.mincore_privileged sysctl, which makes it possible to mincore() 
> > start returning -EPERM in case it's invoked by a process lacking 
> > CAP_SYS_ADMIN.
> 
> Haven't checked the details yet, but wouldn't it be safe if anonymous private
> mincore() kept working, and restrictions were applied only to page cache?

I was considering that, but then I decided not to do so, as that'd make 
the interface even more confusing and semantics non-obvious in the 
'privileged' case.

> > The default behavior stays "mincore() can be used by anybody" in order to 
> > be conservative with respect to userspace behavior.
> 
> What if we lied instead of returned -EPERM, to not break userspace so 
> obviously? I guess false positive would be the safer lie?

So your proposal basically would be

if (privileged && !CAP_SYS_ADMIN)
	if (pagecache)
		return false;
	else
		return do_mincore()

right ?

I think userspace would hate us for that semantics, but on the other hand 
I can sort of understand the 'mincore() is racy anyway, so what' argument, 
if that's what you are suggesting.

But then, I have no idea what userspace is using mincore() for. 
https://codesearch.debian.net/search?q=mincore might provide some insight 
I guess (thanks Matthew).

-- 
Jiri Kosina
SUSE Labs