Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1274547pxb; Thu, 28 Jan 2021 12:07:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJxJMW9+JAKITL9p4rIfKn3VvwPxSqIyMxweXSitOYOVlXcIWn94OSs4uoOlySUb8GjYephY X-Received: by 2002:a17:906:48f:: with SMTP id f15mr1169180eja.392.1611864462942; Thu, 28 Jan 2021 12:07:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611864462; cv=none; d=google.com; s=arc-20160816; b=PYHp7pXm1uQtqdgaooKPtm2X2W04iDHIkBJ2R3USXw7TRdUeIkEFp6N9ZJajxYhecE qf9pIpEa6eyZfMDM/i887iQ6OB+foxKyrOCtfIh3sHssdSxWbT0I/8hR6SH54MsGU5IX +UbVOHo0/oZ7YfMJouVvmHVs+zgllfTEhxvDL+d8I6G9ZBxQXZLxGv8hzuowwIsx+ab3 sFCWTIWGLChyvc7yJpwMjABPpQYd76YWC27vMqAvHr6EwTZgoEmdiyv99irGGCw6dfhf +eTPKmRAxnllYYOcbtJmcW84B0aRMuZeDhMCJwMwN2jtNp/Tb0ZJgaGnVbFhQWwYQ1je W8ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=EyD3wHKnz4mNZyyvJbfB06klVKrdyE3VJ5F5elJU0p4=; b=iX+ypQjZXSH0++R6TsXR5OnKKt+m7Xn/yOSDb7CL1GTVb3w7vbmkW0VpEgWwPiliGu n2183S0pGZEq4tGmUlCEz8+DPkYut6R0vpL3B0WKvAHeHPIJBOqKBcJLdrN/jfkKOeiq D+mHFUX3/ZAO39RtmJt9q2/zjkwxMREX1fTi+WGNUqrsav4P7y3hN0qKazJ9qf+MMVb0 JqqxKl1Cr4z/i1wyTITIhX4Qip0F3r4lQ3ZxUZQyHJPE2W0AZLnuXJ4fND1DeHX43THA wHmkCKgrTEvrnVFltAPw+X/vgxK7oQJW8CHoyUjJzmucJUAvDRdvt7NYXk4O/9H/rTN1 F8aQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dE6DkK29; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si3811933edd.262.2021.01.28.12.07.17; Thu, 28 Jan 2021 12:07:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dE6DkK29; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231400AbhA1UDk (ORCPT + 99 others); Thu, 28 Jan 2021 15:03:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231210AbhA1UAk (ORCPT ); Thu, 28 Jan 2021 15:00:40 -0500 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 198E0C0613D6 for ; Thu, 28 Jan 2021 11:51:32 -0800 (PST) Received: by mail-wr1-x42d.google.com with SMTP id s7so3641280wru.5 for ; Thu, 28 Jan 2021 11:51:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EyD3wHKnz4mNZyyvJbfB06klVKrdyE3VJ5F5elJU0p4=; b=dE6DkK29jp1+2E1wW4vsdERPnjCiGfWiDO/sMZTB7Ak26IuFMJQv59WorheyAZjC+A WMGzKQl2IPb8WDCumWHWk0exXWe0DR5W2MXc2boIjmbvsHkTup0MURQuP6O2xaeiaG/i cQwicLWx+9CXz/RGIKJlXjhC+4lDsFMlMuCnpdvB1E5iWsvRwylRX2XGyr03u7bYW/dg aHCQsUX0XfLFEDRER1WS9zZumqHSOUR4kqOcb4e914Uj3aH8XZ3+1aU/+IJ32eTCjPWP 7ydfG7rlPVXbzmI7RNdrj/LykQawxAQyc3Bs9MpJaSeLB5oHkOaUbHXgDhkaktLGjFna o2fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EyD3wHKnz4mNZyyvJbfB06klVKrdyE3VJ5F5elJU0p4=; b=lAU30W5mx7oBaQdF0C3t7g7pcK1iWtsL7j7RzZGsVAXdkervg2BUolU6f9Hjn3kVic 7b5C+dkV2smdtTQx+kAwG5CZpgLv6OCbQfvqRvDA6zA5NVR4hyR2xaEdrLw0CIKlvVqz PE7dDiGjua+Jr5W0y5tfsbePqtgr99VyuW/vbIv3R95DR3zk4Ke8PUPZio7GnjlaITOU a8byGlJN/KO1O/h1r7ra/uCOZgxNYY7c5QfSuiQDi5pvhVC4bY7u6NIVF0cfrN0ktOdX 5plXxI8YioQsWI3/dtkPa2XV67fXwKu5iU7xfIoi0dMVpBbGpCvg+XlOwgq13EZK8gdt yOFA== X-Gm-Message-State: AOAM533gjzjwDVUu5bSi03CwiYfiDDM2p0YF86EeWklmYWYiMi1WmH2n C2WgPFEoNvLy1EP0S5Wy4sPqlEBwlRHhO263aZ4FwA== X-Received: by 2002:a5d:453b:: with SMTP id j27mr808169wra.92.1611863490625; Thu, 28 Jan 2021 11:51:30 -0800 (PST) MIME-Version: 1.0 References: <20210111170622.2613577-1-surenb@google.com> <20210112074629.GG22493@dhcp22.suse.cz> <20210112174507.GA23780@redhat.com> <20210113142202.GC22493@dhcp22.suse.cz> <20210126135254.GP827@dhcp22.suse.cz> In-Reply-To: <20210126135254.GP827@dhcp22.suse.cz> From: Suren Baghdasaryan Date: Thu, 28 Jan 2021 11:51:19 -0800 Message-ID: Subject: Re: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for process_madvise To: Michal Hocko Cc: Jann Horn , Oleg Nesterov , Andrew Morton , Kees Cook , Jeffrey Vander Stoep , Minchan Kim , Shakeel Butt , David Rientjes , =?UTF-8?Q?Edgar_Arriaga_Garc=C3=ADa?= , Tim Murray , linux-mm , SElinux list , Linux API , LKML , kernel-team , linux-security-module , stable Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 26, 2021 at 5:52 AM 'Michal Hocko' via kernel-team wrote: > > On Wed 20-01-21 14:17:39, Jann Horn wrote: > > On Wed, Jan 13, 2021 at 3:22 PM Michal Hocko wrote: > > > On Tue 12-01-21 09:51:24, Suren Baghdasaryan wrote: > > > > On Tue, Jan 12, 2021 at 9:45 AM Oleg Nesterov wrote: > > > > > > > > > > On 01/12, Michal Hocko wrote: > > > > > > > > > > > > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote: > > > > > > > > > > > > > What we want is the ability for one process to influence another process > > > > > > > in order to optimize performance across the entire system while leaving > > > > > > > the security boundary intact. > > > > > > > Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ > > > > > > > and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata > > > > > > > and CAP_SYS_NICE for influencing process performance. > > > > > > > > > > > > I have to say that ptrace modes are rather obscure to me. So I cannot > > > > > > really judge whether MODE_READ is sufficient. My understanding has > > > > > > always been that this is requred to RO access to the address space. But > > > > > > this operation clearly has a visible side effect. Do we have any actual > > > > > > documentation for the existing modes? > > > > > > > > > > > > I would be really curious to hear from Jann and Oleg (now Cced). > > > > > > > > > > Can't comment, sorry. I never understood these security checks and never tried. > > > > > IIUC only selinux/etc can treat ATTACH/READ differently and I have no idea what > > > > > is the difference. > > > > Yama in particular only does its checks on ATTACH and ignores READ, > > that's the difference you're probably most likely to encounter on a > > normal desktop system, since some distros turn Yama on by default. > > Basically the idea there is that running "gdb -p $pid" or "strace -p > > $pid" as a normal user will usually fail, but reading /proc/$pid/maps > > still works; so you can see things like detailed memory usage > > information and such, but you're not supposed to be able to directly > > peek into a running SSH client and inject data into the existing SSH > > connection, or steal the cryptographic keys for the current > > connection, or something like that. > > > > > > I haven't seen a written explanation on ptrace modes but when I > > > > consulted Jann his explanation was: > > > > > > > > PTRACE_MODE_READ means you can inspect metadata about processes with > > > > the specified domain, across UID boundaries. > > > > PTRACE_MODE_ATTACH means you can fully impersonate processes with the > > > > specified domain, across UID boundaries. > > > > > > Maybe this would be a good start to document expectations. Some more > > > practical examples where the difference is visible would be great as > > > well. > > > > Before documenting the behavior, it would be a good idea to figure out > > what to do with perf_event_open(). That one's weird in that it only > > requires PTRACE_MODE_READ, but actually allows you to sample stuff > > like userspace stack and register contents (if perf_event_paranoid is > > 1 or 2). Maybe for SELinux things (and maybe also for Yama), there > > should be a level in between that allows fully inspecting the process > > (for purposes like profiling) but without the ability to corrupt its > > memory or registers or things like that. Or maybe perf_event_open() > > should just use the ATTACH mode. > > Thanks for the clarification. I still cannot say I would have a good > mental picture. Having something in Documentation/core-api/ sounds > really needed. Wrt to perf_event_open it sounds really odd it can do > more than other places restrict indeed. Something for the respective > maintainer but I strongly suspect people simply copy the pattern from > other places because the expected semantic is not really clear. > Sorry, back to the matters of this patch. Are there any actionable items for me to take care of before it can be accepted? The only request from Andrew to write a man page is being worked on at https://lore.kernel.org/linux-mm/20210120202337.1481402-1-surenb@google.com/ and I'll follow up with the next version. I also CC'ed stable@ for this to be included into 5.10 per Andrew's request. That CC was lost at some point, so CC'ing again. I do not see anything else on this patch to fix. Please chime in if there are any more concerns, otherwise I would ask Andrew to take it into mm-tree and stable@ to apply it to 5.10. Thanks! > -- > Michal Hocko > SUSE Labs > > -- > To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com. >