Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2419410pxb; Mon, 11 Jan 2021 09:09:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJzaZHg4mhiBo4PYQMHZpZWs+LLclpBiZZ0zu2goE1YwenS4c7YWB4OnXyo2sMq+u8Rd9Phn X-Received: by 2002:a17:906:8152:: with SMTP id z18mr308478ejw.317.1610384969892; Mon, 11 Jan 2021 09:09:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610384969; cv=none; d=google.com; s=arc-20160816; b=OLapWVC92wZjSN4L+8YXOtofP9JO0ilkg5RT3ef9GkQaeQIA7+4s/qbHGatZYxItn7 iRO4hc3igxmB6QjnYgNXmJZHgaFXIkLemAUXbA3DGWgblOJUBr6A20i3RDymPTDKAjP6 OJzSuGSov8SK3lpVvzgeM7+HiNKHF4ZVyrUyQ5ngcjH7Aybs34w3Z39D++o5H5fufpI8 dyW3kppHeA8NLbV+5kA6R86zDTlWDHsJIyp377NbhDJr3dPGvvmZ0L08wFezXbBOOPsc EQq2JWaW9yQ1yyEtfv/Im0V+NpS9uVALoa8xvzCGk2il7NlLA8Nutjpsh+ZSDOzsChfz MKNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :sender:dkim-signature; bh=TXgIiPGiAVYYkmWDjbujM9saKwN+69Dn3gHiic8vtkI=; b=Q6ITP67TstTVv43yTo7HWEwMKdK2SznSvnH+nzjsuw63Q78bWm2VHccGu7RjqhSbKo FgximDLhw1E21oHGc0KafCuX30ITX+aHT83PaxsC4rCk7Gn/5RZxkg93HvZcQB2l0zRA WBNkNguPC1J94mz26Z3VGEdNna8DfquOkIjMz6lJUqnmUL7OSiQeIQHbzBA5OAxH1A99 Osm2tzbn8je143aFoxwCBGvhaMllB474aYGN7fMqCjl4bQwG5TQMV1kp8wlP6DhRYCsL rEhU1gC7/89rx5KHwTKQeqGeyyl/z9Gt7huXhLghqk1A14NMOt3hR/QUkBvL0+SzCUtj xxPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Hh3KmXus; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v13si162315edl.517.2021.01.11.09.09.06; Mon, 11 Jan 2021 09:09:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Hh3KmXus; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389162AbhAKRHL (ORCPT + 99 others); Mon, 11 Jan 2021 12:07:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43248 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389150AbhAKRHK (ORCPT ); Mon, 11 Jan 2021 12:07:10 -0500 Received: from mail-qt1-x849.google.com (mail-qt1-x849.google.com [IPv6:2607:f8b0:4864:20::849]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C061EC0617A4 for ; Mon, 11 Jan 2021 09:06:29 -0800 (PST) Received: by mail-qt1-x849.google.com with SMTP id f7so204873qtj.7 for ; Mon, 11 Jan 2021 09:06:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=TXgIiPGiAVYYkmWDjbujM9saKwN+69Dn3gHiic8vtkI=; b=Hh3KmXusdsWf3wOKiqMpN2ZvjtT1zhfgbc8mOIqOlfXaK+rz3Lj2iHAkKJ8bQKB1Mc QLerZWDf+pZFuolShf5tDjCPoQBvPEQIDL0Rmri9m6hpbkutx3VD0oKTzwG8xPOhi28x ablVvg1ISJmA/9YtTL/T1yVKw79riORs3MSqLf9vTD0XQ63U/6uzW6mgFooId144FiN2 6Q0lfAnrIL4dUrD7LhKfXZkUOkFEiKhsNn1kt3XZjgDT9QkTr1iFsCnT5qIAUUPbnRsx C4IjdRAIgt0NFfcj3Q9Bt1g7dk+B9Sm/gXbsbAdN/F0TE47Ammma0ZBPjkv+NwxUwT5e /tcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=TXgIiPGiAVYYkmWDjbujM9saKwN+69Dn3gHiic8vtkI=; b=alhlx2HHeaTF6lv57hl00Xz2lLlkKobR5C+MiKhLZudAJ3lELU5ieJZDFf+5b3ID7A 8z9gYMCrwx4+XL0XQkjqf85BTH55CYrmw2YYDbWgc1BTCAZTq1gBS3nG95vu/b5jA8DO 0A0LA5wAdAHG3XdNVBp7tUDcqkrpxfjc8UhcxoxAUDpkXnTXcd0Ia8U/uzAD5b2IZXs5 RacnsQNCX2Y9A2BVRRHzt6XZSSFKBDCLx7h+d0Qka4J2hIe42XfA5jL8ZXhL+FQQtqSo ud7PHsYKOFBzjxUdDZnTNQAKUoWuuCAltBvgJLoosMGcCqrsD82yms9j5N2zyrEj2f/P lGBQ== X-Gm-Message-State: AOAM530KdOQSdrluFTJZ97yn6y3grrZOgUaVEerhk6tvN4mHsiLSw5+I NwinFa8/3Joc9JA+hOnwBpBjC1PMWuo= Sender: "surenb via sendgmr" X-Received: from surenb1.mtv.corp.google.com ([100.98.240.136]) (user=surenb job=sendgmr) by 2002:ad4:452f:: with SMTP id l15mr209256qvu.49.1610384788888; Mon, 11 Jan 2021 09:06:28 -0800 (PST) Date: Mon, 11 Jan 2021 09:06:22 -0800 Message-Id: <20210111170622.2613577-1-surenb@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.30.0.284.gd98b1dd5eaa7-goog Subject: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for process_madvise From: Suren Baghdasaryan To: akpm@linux-foundation.org Cc: jannh@google.com, keescook@chromium.org, jeffv@google.com, minchan@kernel.org, mhocko@suse.com, shakeelb@google.com, rientjes@google.com, edgararriaga@google.com, timmurray@google.com, linux-mm@kvack.org, selinux@vger.kernel.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, surenb@google.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org process_madvise currently requires ptrace attach capability. PTRACE_MODE_ATTACH gives one process complete control over another process. It effectively removes the security boundary between the two processes (in one direction). Granting ptrace attach capability even to a system process is considered dangerous since it creates an attack surface. This severely limits the usage of this API. The operations process_madvise can perform do not affect the correctness of the operation of the target process; they only affect where the data is physically located (and therefore, how fast it can be accessed). What we want is the ability for one process to influence another process in order to optimize performance across the entire system while leaving the security boundary intact. Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata and CAP_SYS_NICE for influencing process performance. Signed-off-by: Suren Baghdasaryan Acked-by: Minchan Kim Acked-by: David Rientjes --- mm/madvise.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/mm/madvise.c b/mm/madvise.c index 6a660858784b..a9bcd16b5d95 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -1197,12 +1197,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, goto release_task; } - mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS); + /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */ + mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); if (IS_ERR_OR_NULL(mm)) { ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; goto release_task; } + /* + * Require CAP_SYS_NICE for influencing process performance. Note that + * only non-destructive hints are currently supported. + */ + if (!capable(CAP_SYS_NICE)) { + ret = -EPERM; + goto release_mm; + } + total_len = iov_iter_count(&iter); while (iov_iter_count(&iter)) { @@ -1217,6 +1227,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, if (ret == 0) ret = total_len - iov_iter_count(&iter); +release_mm: mmput(mm); release_task: put_task_struct(task); -- 2.30.0.284.gd98b1dd5eaa7-goog