Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2227928pxb; Fri, 5 Mar 2021 10:10:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJzYZ6vY3wCKoJ1iA/9bwgww01hpU5qi7z0LSYzEi6kWBEsyQcgt+JKZ+fSp6hJwy8KORKBO X-Received: by 2002:a17:906:acb:: with SMTP id z11mr3466492ejf.193.1614967823039; Fri, 05 Mar 2021 10:10:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614967823; cv=none; d=google.com; s=arc-20160816; b=e9yFFPd4W61Tk1SDCngcLoUQgobQt7nRAE632I39is6YTPNyo5+hOnSHASp0ZBSg1h kL/DyeOQdhoPC9gt+0qbjmQfRYUy/Ch2aQIxSr2OBgpy+NunkdAFG2i2o+aZF1oi/wvJ PA1uiCyW38QnJjKBpFjtVnY+WHkCzJzgunD72Jgwj9lUK3ui6JpBO4y3wZBrsNvdZEXI t25EXAChFX5/UjWVCAuuX5QTD5PBZXT+UADWyPOrsy6dD7M4aXmlYjAdCvSX2KDEI7a2 3fydlSGIzZxMPp7nBu38DhKGqn3GYPcR2ZklKQSORNAmnVQxcN0TF/0bLv57kXDJMN6l uAeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=i+6o5aVNdSv/9PF60BXlGDu7aBq8OxaHxrB0uLUzYrc=; b=t1Yi9ZxOYNl+5Ve6wCKuukeV2n5qNTsz/cf+jr6elaMlVlUXFaJL5Ey2z9mR+5ZSUu ISzl46CEgjS4fvPvODpvayCxSgkwsH0Tk1ApXE7sS8usZ031Gwk/ZU73s2mHW/DLYG6j lEuxIEan0Uq4sKkr1n0RchhHMMp+75wj3nYIZtXuiSkv9kfI4ce/Sb48zZk9S9bogXi5 x7XesyVElPbsINrXi/SgBwbknKhrSQLUy/+4H8/1CCr2Mmz0xD9AduEdYOPirNyeFx++ 2xiUe3OZg/p9561pJUPIWdzV9+u5SUbeTUptL9TREnWmYXjOULbGGp1VkVE91unMUe99 Jw2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Ny7RBbrR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s14si1900131edy.365.2021.03.05.10.09.57; Fri, 05 Mar 2021 10:10:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Ny7RBbrR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229517AbhCESJC (ORCPT + 99 others); Fri, 5 Mar 2021 13:09:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229558AbhCESI3 (ORCPT ); Fri, 5 Mar 2021 13:08:29 -0500 Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A686EC061760 for ; Fri, 5 Mar 2021 10:08:29 -0800 (PST) Received: by mail-yb1-xb33.google.com with SMTP id 133so2869269ybd.5 for ; Fri, 05 Mar 2021 10:08:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i+6o5aVNdSv/9PF60BXlGDu7aBq8OxaHxrB0uLUzYrc=; b=Ny7RBbrR4UlOHG+dSivV32D5lTfFDCzcqftIe4uJ3WEY9i2EmbM46Yx3Zsf75eQzjh 25bgNEBZHgpoLKAwZZtYu80p74H/p+WQ1aPU4sTbAqKqI/hPS17ucdidYpFSCmy9CfGR pSbu/iLFv0UdpdJV5sspL9FXS3QixX75F9ifzlpm+dogqs4rlJPoee7316SO7JPSl/78 364PENxK8UAci0rkZBNJMCDtnHDFY6kSmGYTr9eVnXDOsmX2bUWvlnkRJesiyfi7VrZd rFpWHDvFxpIORgE5AgAjTstkr43hqtBRKxomoIBoju1bRkumL1zhVMGpeOENsGLpCik2 CPxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i+6o5aVNdSv/9PF60BXlGDu7aBq8OxaHxrB0uLUzYrc=; b=EPcHTIOgNOap/EmU70mHrHBSDCmR7Fxz7mGHGRnK34Mzwzwdm8/ENM5tyo6K7m6UYd 20Y/3pSeDIxTnDe3h3CaSLlF2xh+dUkQ+H9AnUlx9pMX3GdUpzvIumQR+APF4l9cjO7S I4iEK3fZM9nLxmS+FfvInY5rQGhxn079eIYCHxnm4DXYE8o9w5mJ4RIp7ljv3/Suz29f S1vGVqtLeSQE5cPomptFxAr2cR95NSZ9f+EXp1gh5UAfTQsVyPBenAHe2iizO8dNMB13 4GgbhMOWFLXpEmncVjJB/dNEqETo/DbSzux8MV5ufZ92v8eBKqR+wpmZ3xHEh8QMsnsb dVvQ== X-Gm-Message-State: AOAM532XhBDiia79FLl6E7bHQWSrLVf2JeGazYqw5+GtNq7AdWC91a52 1UkDAvfkjvuwBH4toMgWocwOZ4FKBRBVKKeLdNgJTw== X-Received: by 2002:a25:4444:: with SMTP id r65mr16151762yba.84.1614967708501; Fri, 05 Mar 2021 10:08:28 -0800 (PST) MIME-Version: 1.0 References: <20210303185807.2160264-1-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Fri, 5 Mar 2021 10:08:17 -0800 Message-ID: Subject: Re: [PATCH v3 1/1] mm/madvise: replace ptrace attach requirement for process_madvise To: David Hildenbrand Cc: Shakeel Butt , Andrew Morton , Jann Horn , Kees Cook , Jeffrey Vander Stoep , Minchan Kim , Michal Hocko , David Rientjes , =?UTF-8?Q?Edgar_Arriaga_Garc=C3=ADa?= , Tim Murray , Florian Weimer , Oleg Nesterov , James Morris , Linux MM , SElinux list , Linux API , linux-security-module , stable , LKML , kernel-team Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 5, 2021 at 9:52 AM David Hildenbrand wrote: > > On 05.03.21 18:45, Shakeel Butt wrote: > > On Fri, Mar 5, 2021 at 9:37 AM David Hildenbrand wrote: > >> > >> On 04.03.21 01:03, Shakeel Butt wrote: > >>> On Wed, Mar 3, 2021 at 3:34 PM Suren Baghdasaryan wrote: > >>>> > >>>> On Wed, Mar 3, 2021 at 3:17 PM Shakeel Butt wrote: > >>>>> > >>>>> On Wed, Mar 3, 2021 at 10:58 AM Suren Baghdasaryan wrote: > >>>>>> > >>>>>> process_madvise currently requires ptrace attach capability. > >>>>>> PTRACE_MODE_ATTACH gives one process complete control over another > >>>>>> process. It effectively removes the security boundary between the > >>>>>> two processes (in one direction). Granting ptrace attach capability > >>>>>> even to a system process is considered dangerous since it creates an > >>>>>> attack surface. This severely limits the usage of this API. > >>>>>> The operations process_madvise can perform do not affect the correctness > >>>>>> of the operation of the target process; they only affect where the data > >>>>>> is physically located (and therefore, how fast it can be accessed). > >>>>>> What we want is the ability for one process to influence another process > >>>>>> in order to optimize performance across the entire system while leaving > >>>>>> the security boundary intact. > >>>>>> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ > >>>>>> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata > >>>>>> and CAP_SYS_NICE for influencing process performance. > >>>>>> > >>>>>> Cc: stable@vger.kernel.org # 5.10+ > >>>>>> Signed-off-by: Suren Baghdasaryan > >>>>>> Reviewed-by: Kees Cook > >>>>>> Acked-by: Minchan Kim > >>>>>> Acked-by: David Rientjes > >>>>>> --- > >>>>>> changes in v3 > >>>>>> - Added Reviewed-by: Kees Cook > >>>>>> - Created man page for process_madvise per Andrew's request: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=a144f458bad476a3358e3a45023789cb7bb9f993 > >>>>>> - cc'ed stable@vger.kernel.org # 5.10+ per Andrew's request > >>>>>> - cc'ed linux-security-module@vger.kernel.org per James Morris's request > >>>>>> > >>>>>> mm/madvise.c | 13 ++++++++++++- > >>>>>> 1 file changed, 12 insertions(+), 1 deletion(-) > >>>>>> > >>>>>> diff --git a/mm/madvise.c b/mm/madvise.c > >>>>>> index df692d2e35d4..01fef79ac761 100644 > >>>>>> --- a/mm/madvise.c > >>>>>> +++ b/mm/madvise.c > >>>>>> @@ -1198,12 +1198,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, > >>>>>> goto release_task; > >>>>>> } > >>>>>> > >>>>>> - mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS); > >>>>>> + /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */ > >>>>>> + mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); > >>>>>> if (IS_ERR_OR_NULL(mm)) { > >>>>>> ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; > >>>>>> goto release_task; > >>>>>> } > >>>>>> > >>>>>> + /* > >>>>>> + * Require CAP_SYS_NICE for influencing process performance. Note that > >>>>>> + * only non-destructive hints are currently supported. > >>>>> > >>>>> How is non-destructive defined? Is MADV_DONTNEED non-destructive? > >>>> > >>>> Non-destructive in this context means the data is not lost and can be > >>>> recovered. I follow the logic described in > >>>> https://lwn.net/Articles/794704/ where Minchan was introducing > >>>> MADV_COLD and MADV_PAGEOUT as non-destructive versions of MADV_FREE > >>>> and MADV_DONTNEED. Following that logic, MADV_FREE and MADV_DONTNEED > >>>> would be considered destructive hints. > >>>> Note that process_madvise_behavior_valid() allows only MADV_COLD and > >>>> MADV_PAGEOUT at the moment, which are both non-destructive. > >>>> > >>> > >>> There is a plan to support MADV_DONTNEED for this syscall. Do we need > >>> to change these access checks again with that support? > >> > >> Eh, I absolutely don't think letting another process discard memory in > >> another process' address space is a good idea. The target process can > >> observe that easily and might even run into real issues. > >> > >> What's the use case? > >> > > > > Userspace oom reaper. Please look at > > https://lore.kernel.org/linux-api/20201014183943.GA1489464@google.com/T/ > > > > Thanks, somehow I missed that (not that it really changed my opinion on > the approach while skimming over the discussion :) will have a more > detailed look) The latest version of that patchset is: https://lore.kernel.org/patchwork/patch/1344419/ Yeah, memory reaping is a special case when we are operating on a dying process to speed up the release of its memory. I don't know if for that particular case we need to make the checks stricter. It's a dying process anyway and the data is being destroyed. Allowing to speed up that process probably can still use CAP_SYS_NICE. > > -- > Thanks, > > David / dhildenb >