Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1992054imu; Sat, 5 Jan 2019 11:40:00 -0800 (PST) X-Google-Smtp-Source: ALg8bN7bPwsbHeoEG/4w3d4oQacscooD5Lbdt0RzuX/YPTeRJcs+doOUdaqhOujaRz1urqXZ6fN2 X-Received: by 2002:a65:534b:: with SMTP id w11mr5767341pgr.125.1546717200854; Sat, 05 Jan 2019 11:40:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546717200; cv=none; d=google.com; s=arc-20160816; b=P0qpycHCOCAMRLPupCMTB3ags8NTnwqJ1tcuDc8LA/L90a9rjaqQaMSLLt1zgxBBW/ O62yykvElYyCnD5noptFTvJeiJTrqg/Tom3nPjjm47NaGBCFBmpgq31HrgFwKi7Lj29J tovGtd80+4uSP7xatjo7Zr0ff8SJcZrwguaS9hMzfKhkZfwM1qSGIdXNKDr88Vd6km/O i1r58MEdQR+644ER2oZZuev5kEP9hKv2g8QdES4iVKeBbxxpS3OZSyseluJgzL9CMHld +aMOiCyMc4TA5039aNqz/oI/TAPJRM+rTyHNAxcz8mVWNqUP1v2H8X7Z0K7GSUOodyX8 t6Yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=uD1lpm6EDd1mxZnUAMI1jDMQyZRWcULxHF9c5u3YY7o=; b=OEtfVgfXM4AEGaP5CoDCYhmUl1rxvT5JFGxFB8vNVYRZ5IDH6bB3sJWOhK5keD3JjW ZWRNr8F3uV9KWcwXL4Zrd9TRvzs50W6LufHB0oHW9lHGr25rnf/G+5KTetiYEOx/MViC RocCW6A+75DRvO8mJ0MLAlEUoopY2Wmv7hc26NaFcrcASAIW2peCR7dW2vy+H6eyOnvR /tOCxTCdeeL17G/QvCuqSDgeiRq18zolbPWQkfdK8PbldqmmgvgIFB+Eggu+LfmlphjF TdPH+zAODKSp/HF72iGKV+hv18AEDpxSuBnqYNWqW29LjRdGlODcGuuhqHuZcU5Kg2RS X47Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p11si8405612plk.191.2019.01.05.11.39.44; Sat, 05 Jan 2019 11:40:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726316AbfAETid (ORCPT + 99 others); Sat, 5 Jan 2019 14:38:33 -0500 Received: from mx2.suse.de ([195.135.220.15]:34578 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726282AbfAETid (ORCPT ); Sat, 5 Jan 2019 14:38:33 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 3E470AEB8; Sat, 5 Jan 2019 19:38:32 +0000 (UTC) Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged To: Jiri Kosina Cc: Linus Torvalds , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org References: From: Vlastimil Babka Message-ID: Date: Sat, 5 Jan 2019 20:38:31 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5.1.2019 20:24, Jiri Kosina wrote: > On Sat, 5 Jan 2019, Vlastimil Babka wrote: > >>> There are possibilities [1] how mincore() could be used as a converyor of >>> a sidechannel information about pagecache metadata. >>> >>> Provide vm.mincore_privileged sysctl, which makes it possible to mincore() >>> start returning -EPERM in case it's invoked by a process lacking >>> CAP_SYS_ADMIN. >> >> Haven't checked the details yet, but wouldn't it be safe if anonymous private >> mincore() kept working, and restrictions were applied only to page cache? > > I was considering that, but then I decided not to do so, as that'd make > the interface even more confusing and semantics non-obvious in the > 'privileged' case. > >>> The default behavior stays "mincore() can be used by anybody" in order to >>> be conservative with respect to userspace behavior. >> >> What if we lied instead of returned -EPERM, to not break userspace so >> obviously? I guess false positive would be the safer lie? > > So your proposal basically would be > > if (privileged && !CAP_SYS_ADMIN) > if (pagecache) > return false; I was thinking about "return true" here, assuming that userspace generally wants to ensure itself there won't be page faults when it starts doing something critical, and if it sees a "false" it will try to do some kind of prefaulting, possibly in a loop. There might be somebody trying to make sure something is out of pagecache (it wants to see "false"), but can't think of anything except benchmarks? > else > return do_mincore() > > right ? > > I think userspace would hate us for that semantics, but on the other hand > I can sort of understand the 'mincore() is racy anyway, so what' argument, > if that's what you are suggesting. > > But then, I have no idea what userspace is using mincore() for. > https://codesearch.debian.net/search?q=mincore might provide some insight > I guess (thanks Matthew). >