Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp601966pxb;
        Fri, 8 Jan 2021 13:02:27 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyWZrC/WT1fs9Kb61n6/vyvauhs/laYxhqLJpWF8sIIG9uRT8EWZxr+gJ62uk9oN02wQDkr
X-Received: by 2002:a17:907:16a2:: with SMTP id hc34mr3875689ejc.9.1610139747137;
        Fri, 08 Jan 2021 13:02:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610139747; cv=none;
        d=google.com; s=arc-20160816;
        b=LEtLzIZ4gSssKhdqYqWV+5VLHjAqzuk/rQ5e9qYmxgCY1L1/5iYdUuG7JKKWz+omKZ
         FGhN2H8+fIGygHLO3UwSTOgRpO/lZEZX/Bv8BpiKa2P3VzAZvYs4wsTxp0Fp2nGNGPPD
         nvdLcq2yQjNPRA1lLipjo9VsLn7bVW9slRDjVLHru4CYDW0wwAYA8YCXJQZAJJE8j/gP
         d3iLAU0osmW/51a3Y9jOtZINek3AYDVFvfCNIiUWT2bLFgyS65AlIakLcxHhEwffUeZ6
         SnugP4GEpFqkh1Uh6fuQGFEsJ7AqV2ICWbANyx38qQ6COSQM86vnWi6IINRMDPxe/lgS
         WWyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date
         :sender:dkim-signature;
        bh=pg2+obVmDdZw2cVJ7QAMiVijjbCTy6dUmk2h4J5JypM=;
        b=AXFYRoGnzr6NRemwd9t09foCJHmc/6FglaklqskDgkXi1ds0zFZ5adOjdm5mZDDtaO
         0dnohCUhRPhvG2HoXOqeDtzgnT77bWSBGQGF//GqM3HOsSU08z0CGA66Nud6yy3ikw5H
         0MiMinrpBy8M9hsh1C+NM0BcudF7W+f1Q680kc/iyKNGut4g5AcEfc2BOk3+VLwGWZPv
         LmAwzIwoStTFgWcA1ufwThWBYcENoQ5g/lmSrtCLs1tYTzdh6f81z/2WrH/f4tBktWg+
         LAaxi1B/ljmzC+9rMjQPxNHtZU1OkHg4z/3eeO8CPtJDaamJMSY3/MUJVsZ9n55WHyWj
         66pA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bGwlBNOl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r10si3883529edy.187.2021.01.08.13.02.03;
        Fri, 08 Jan 2021 13:02:27 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bGwlBNOl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729142AbhAHVAM (ORCPT <rfc822;linux.whf@gmail.com> + 99 others);
        Fri, 8 Jan 2021 16:00:12 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59364 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727513AbhAHVAK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Jan 2021 16:00:10 -0500
Received: from mail-qv1-xf4a.google.com (mail-qv1-xf4a.google.com [IPv6:2607:f8b0:4864:20::f4a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06991C061786
        for <linux-kernel@vger.kernel.org>; Fri,  8 Jan 2021 12:59:03 -0800 (PST)
Received: by mail-qv1-xf4a.google.com with SMTP id bp20so9101868qvb.20
        for <linux-kernel@vger.kernel.org>; Fri, 08 Jan 2021 12:59:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=sender:date:message-id:mime-version:subject:from:to:cc;
        bh=pg2+obVmDdZw2cVJ7QAMiVijjbCTy6dUmk2h4J5JypM=;
        b=bGwlBNOlqsBerbH0/KNUcpimkFnfnQdqlYIwG/BNL3IRka1C9Q54SMbgiR+Ihs0Qqf
         PBF2zL6u4tLZSFtNLHF1Y0SodUbYkNODtyJVn/SXmybjq9qupbwXkiNw8G5ljf6WIAt8
         /901fZEST9OlaVA/TLox3tLuLqNOXg2+Gzuh5jXpQBI3rTiltYyjnxEjs7Oe1mrK7Wn8
         fnmaaRZKXRRVIOYHKaOXzCtrgHfvIEtCkST1wmua8yZ4JAe0h2Gq+ChYdP0EE4/76B7x
         nVdrfwoVbCqshvN6rbO9uFv5X4iQBwH5vAK+6sepxIIXUWCfOjOkubfSgSBhLwaFeQHh
         m9OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:message-id:mime-version:subject:from
         :to:cc;
        bh=pg2+obVmDdZw2cVJ7QAMiVijjbCTy6dUmk2h4J5JypM=;
        b=iginV30GZNIq0XReRxeSz0RfvQBJm7hn4Gclee/Z7dgPFU8jGO+3K+W4vNSkwngZiY
         zrkB1ctjPfuU/72xN8PooylN2P1lsOmODkS73hHgCsxBu50gZnbtpKAxyokuUHPcKKDK
         f/vupS8DfLIepgpUWqdyyW3aE+drBsaZlqBvVFYpwo0QJP1XpDtNwLTY8+c368a7tu4l
         XhTbSCzCq4RR1vNh5lzUzs0nPU3931HlI2gGN0ZpGkK/DKPLBNUwQYd5muGaFXFVKx4l
         wo3IGFuPPz/jQHEW6Pmf8PSI0E9pipgnPFLCecJSuficuNMeHH8+iTH1PZR5U1h260rA
         6GHA==
X-Gm-Message-State: AOAM532VsPjnBszqzjfLrzLac+LMHHRfYvOZcJoMH6rEowrAcFWnMEZ2
        0yW3SC7o9YreC/GHG6NTpRT8wFVp6Vw=
Sender: "surenb via sendgmr" <surenb@surenb1.mtv.corp.google.com>
X-Received: from surenb1.mtv.corp.google.com ([100.98.240.136]) (user=surenb
 job=sendgmr) by 2002:ad4:4888:: with SMTP id bv8mr5409095qvb.0.1610139542143;
 Fri, 08 Jan 2021 12:59:02 -0800 (PST)
Date:   Fri,  8 Jan 2021 12:58:57 -0800
Message-Id: <20210108205857.1471269-1-surenb@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.30.0.284.gd98b1dd5eaa7-goog
Subject: [PATCH 1/1] mm/madvise: replace ptrace attach requirement for process_madvise
From:   Suren Baghdasaryan <surenb@google.com>
To:     akpm@linux-foundation.org
Cc:     jannh@google.com, keescook@chromium.org, jeffv@google.com,
        minchan@kernel.org, mhocko@suse.com, shakeelb@google.com,
        rientjes@google.com, edgararriaga@google.com, timmurray@google.com,
        linux-mm@kvack.org, selinux@vger.kernel.org,
        linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@android.com, surenb@google.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

process_madvise currently requires ptrace attach capability.
PTRACE_MODE_ATTACH gives one process complete control over another
process. It effectively removes the security boundary between the
two processes (in one direction). Granting ptrace attach capability
even to a system process is considered dangerous since it creates an
attack surface. This severely limits the usage of this API.
The operations process_madvise can perform do not affect the correctness
of the operation of the target process; they only affect where the data
is physically located (and therefore, how fast it can be accessed).
What we want is the ability for one process to influence another process
in order to optimize performance across the entire system while leaving
the security boundary intact.
Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
and CAP_SYS_NICE for influencing process performance.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
 mm/madvise.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/mm/madvise.c b/mm/madvise.c
index 6a660858784b..c2d600386902 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1197,12 +1197,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
 		goto release_task;
 	}
 
-	mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
+	/* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
+	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
 	if (IS_ERR_OR_NULL(mm)) {
 		ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
 		goto release_task;
 	}
 
+	/*
+	 * Require CAP_SYS_NICE for influencing process performance. Note that
+	 * only non-destructive hints are currently supported.
+	 */
+	if (!capable(CAP_SYS_NICE)) {
+		ret = -EPERM;
+		goto release_task;
+	}
+
 	total_len = iov_iter_count(&iter);
 
 	while (iov_iter_count(&iter)) {
-- 
2.30.0.284.gd98b1dd5eaa7-goog