Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2114875imu; Sat, 5 Jan 2019 15:11:28 -0800 (PST) X-Google-Smtp-Source: AFSGD/WwH4UKEQise6bOI19xA15+ZLGWJU7NGiP6fvsqFqV4WxwNN71n4pOYwrWsBX6exlTqi8IT X-Received: by 2002:aa7:8045:: with SMTP id y5mr57110617pfm.62.1546729888775; Sat, 05 Jan 2019 15:11:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546729888; cv=none; d=google.com; s=arc-20160816; b=GloqrIreixs5hUJSUFiGD/cfkHRFuvwYmZYZdI9cXWVFRquArucYYcHErX1UJgGKGt Hx2kv/iuOaUs58450AiwrU9h5JuQwOxHcYelr01IWmDMZbgx0BFDU5Wl+P5Szngw2Kg/ uxrqLtF2mt34fZ5vc7kZ0Gpv2dRmS0ioksdn3E+P9pGFQdm6o6oKQpLCQdOcUJJV954m VRuWJnaRObVLI7hRWE4YLsTpXCA4QE0AhqUDD/epDh1wQgNhdcxFa+6ceoaSkATqsPmV 6BsahGWck+dJjDbiX4s2hXz4MBLevaWdXER2XYWcevu7Gsji+6Q3sYPMz8pwzLmPbkig +1+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=M0uemqRb1WttK0iqit6BFBBoeosmq+tP9ZgmoEz4EH4=; b=i/4mpYyVSihW1VT2m5VQPwdH8POuL/A8vNQPfEJikt1PZH/Ik8I5yAi/qo9VCXpZf4 HnwsJdE9MPaEWou0y6nLFySHsDewqKbMz4jpjwC7HvNI4CGUKRWc9dvbXJiJuq3qwIoJ 63Z5IZAcWPJCW97ngUMEv5puoyUR1ykaPfg+k7Ab0obBInO6SHBLJfYF5a8SjqFYFwPK VYbn0c0HDAWaTejMttHiqdG7VQhG0JgCjC5W6Q6Eam/kZaUIUMNG7w42mv6B9vGAsYHL rAxBkuZ0GSaDvedN8qSW7jZDIYKq4qlclg2KgV3S3dslEoID7M/+HcIdM9otKwVg/CVa xQ0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j65si37142208pge.444.2019.01.05.15.11.13; Sat, 05 Jan 2019 15:11:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726415AbfAEXJF (ORCPT + 99 others); Sat, 5 Jan 2019 18:09:05 -0500 Received: from mx2.suse.de ([195.135.220.15]:48796 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726364AbfAEXJF (ORCPT ); Sat, 5 Jan 2019 18:09:05 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 2861DAD57; Sat, 5 Jan 2019 23:09:04 +0000 (UTC) Date: Sun, 6 Jan 2019 00:09:02 +0100 (CET) From: Jiri Kosina To: Jann Horn cc: Linus Torvalds , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , Linux-MM , kernel list , Linux API Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 5 Jan 2019, Jann Horn wrote: > > Provide vm.mincore_privileged sysctl, which makes it possible to mincore() > > start returning -EPERM in case it's invoked by a process lacking > > CAP_SYS_ADMIN. > > > > The default behavior stays "mincore() can be used by anybody" in order to > > be conservative with respect to userspace behavior. > > > > [1] https://www.theregister.co.uk/2019/01/05/boffins_beat_page_cache/ > > Just checking: I guess /proc/$pid/pagemap (iow, the pagemap_read() > handler) is less problematic because it only returns data about the > state of page tables, and doesn't query the address_space? In other > words, it permits monitoring evictions, but non-intrusively detecting > that something has been loaded into memory by another process is > harder? So I was just about to immediately reply that we don't expose pagemap anymore due to rowhammer, but apparently that's not true any more (this behavioud was originally introduced by ab676b7d6fbf, but then changed via 1c90308e7a77 (and further adjusted for swap entries in ab6ecf247a, but I guess that's not all that interesting). Hmm. But unless it has been mapped with MAP_POPULATE (whcih is outside the attacker's control), there is no guarantee that the mappings would actually be there, right? -- Jiri Kosina SUSE Labs