Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2286935pxb;
        Fri, 5 Mar 2021 11:43:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzVwT1KO5+rMVKPo80rfQ2+4OBmruv+exAfLn9ElWFnz4D0Iz5Gr7HiIV3XTAlDYxdOEhfA
X-Received: by 2002:a17:907:f97:: with SMTP id kb23mr3848006ejc.33.1614973425833;
        Fri, 05 Mar 2021 11:43:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614973425; cv=none;
        d=google.com; s=arc-20160816;
        b=ISIvlFPGVO9tOPJa7Q0y9nSGJ7zvgqOYeRWVOESw3jA87rjuneU9HKQ7PUQr1L2q9z
         R5E7Ok0DpvkDB6z3ANtNJR8CHHOwhC0xQvFo8cDajCt3SQzKd0UIhUdpWUlCZ5DvYe8X
         tsZDBresHBFf3e1shLK+pm/QmVoiSAcSqDpX/uB5pex31lfDSavGP9RAnTmzfqxMbRR6
         /kP/iWay5aMSxO/JtyVX2URZG9H/w7JhPpHLKy98BTF4k8eSmwZi9yVzSXdAS6XTJ0Kj
         DC1zirYwJkRmp7+Z509tiy0aoLIa8CyLDHmCgiWFWvC86BUAeBbeewQvmwakPdO53DES
         0Uag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:in-reply-to:cc:references:message-id:date
         :subject:mime-version:from:content-transfer-encoding:dkim-signature;
        bh=rIyScA6Mo4EmL+2XyKsh9B4ovscCNZHcZ56Sz7w7WWU=;
        b=YFVRM4mHrKMlLQgJqXquB/aYHmFogyFnjcJntBOoQHQvYSwHKdMdq6tCUJFllGAg+S
         YxhiY+B5eaSLkE2nKF9YqQb6IGpZ4v19gdKSY6KcgHlU5J0yw8D8JF2yaKZSKErNWszY
         cOyKg0IdgF0sPUdBXH2m9Jy9N8RqyNzBslNU963+zPiaeduMV6JehPW9JnfmUKG0r3OT
         N4wg0GS6PS+O+rs45VVj8toIsc30WMIHZJHCxauwSbSaPYHfoiXUlroF5oQudEC3fFhf
         5SRGNTs/DKgBGIw6kfiqt6qbceY2dTfNPfWAo9FNMMZVmDeAUa0JEeOaQSEcxI6Udw+z
         ILcA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IdXjBWnZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b14si2197272eds.379.2021.03.05.11.43.22;
        Fri, 05 Mar 2021 11:43:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IdXjBWnZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229965AbhCETlU (ORCPT <rfc822;lwx169@gmail.com> + 99 others);
        Fri, 5 Mar 2021 14:41:20 -0500
Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:41842 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S229793AbhCETlN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Mar 2021 14:41:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1614973273;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=rIyScA6Mo4EmL+2XyKsh9B4ovscCNZHcZ56Sz7w7WWU=;
        b=IdXjBWnZh0xuKOoMu32lnceb6btwz92RI0oLmmiHm3lDJDUjRSvgF631sPYunUWUEWeFlc
        Qss+fOKfBfl3rKNBK5R/zb4EPiUu6N1dldJ+veHgO1k4eCD+GeOMsiveND3xOjeBCXDOvX
        IbSMbE9H6o5zvqEoB1i2WTX8x3GbnC4=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-466-C8OOpoRvMnCwpziWD9goDg-1; Fri, 05 Mar 2021 14:41:08 -0500
X-MC-Unique: C8OOpoRvMnCwpziWD9goDg-1
Received: by mail-wm1-f72.google.com with SMTP id a3so746638wmm.0
        for <linux-kernel@vger.kernel.org>; Fri, 05 Mar 2021 11:41:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version
         :subject:date:message-id:references:cc:in-reply-to:to;
        bh=rIyScA6Mo4EmL+2XyKsh9B4ovscCNZHcZ56Sz7w7WWU=;
        b=gkmpt0jBYUJuFzpjIb+G/ELeJd9SKWMaYwWUiC9Kla3Krqezun52gcOuP7/cvz38C6
         LXNBAcaPpYyM/KwwouC0fDN3a1abMXrRz8xrmnWcOlf5V8+/oAmYhvCQR15bE8qScwTf
         ri6Z+9w3ZvvAu/d/hQ9Lt0IuhlddbClkWpf9RoGZae3z6p4JIhm0BKCwN/MvYbYrlQHE
         Zz6iJBPfu2s4wAIuX0axbFyOtaNG0s05h1yCZfDEzxKsV/CEsNIevGOI29yzTefC+f5O
         6fBljdbnMcHZSQdq85o7JY0boIWXSNGomtUd+80N+1wlaMNF8J7nrmiO4h79Y5JddHz3
         buWA==
X-Gm-Message-State: AOAM5333TXhDR8UpuCI/KAphrptdfMb29I2Xil7iLHSDxWcnrVL+9sX+
        AcXkH8CMjgjS/eXV2Y4nxrQ+UOyxJsv5JU2oh5qbZfcrYAmE9xNXqi+Q75bWLbsyr//kIvg87y/
        LJI894fd3XxLLu0mUBDsTUpFK
X-Received: by 2002:adf:ebcb:: with SMTP id v11mr10764005wrn.231.1614973267347;
        Fri, 05 Mar 2021 11:41:07 -0800 (PST)
X-Received: by 2002:adf:ebcb:: with SMTP id v11mr10763976wrn.231.1614973267004;
        Fri, 05 Mar 2021 11:41:07 -0800 (PST)
Received: from [192.168.3.108] (p5b0c6b97.dip0.t-ipconnect.de. [91.12.107.151])
        by smtp.gmail.com with ESMTPSA id m11sm5693156wrz.40.2021.03.05.11.41.06
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 05 Mar 2021 11:41:06 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From:   David Hildenbrand <david@redhat.com>
Mime-Version: 1.0 (1.0)
Subject: Re: [PATCH v3 1/1] mm/madvise: replace ptrace attach requirement for process_madvise
Date:   Fri, 5 Mar 2021 20:41:04 +0100
Message-Id: <245612A8-56DA-47D8-BB18-613FF9C8AF96@redhat.com>
References: <CAJuCfpHDtu0R6zZ0uo0YZgCE=dyhy6bsToUU2+reo3pBV0PcBg@mail.gmail.com>
Cc:     David Hildenbrand <david@redhat.com>,
        Shakeel Butt <shakeelb@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Jeffrey Vander Stoep <jeffv@google.com>,
        Minchan Kim <minchan@kernel.org>,
        Michal Hocko <mhocko@suse.com>,
        David Rientjes <rientjes@google.com>,
        =?utf-8?Q?Edgar_Arriaga_Garc=C3=ADa?= <edgararriaga@google.com>,
        Tim Murray <timmurray@google.com>,
        Florian Weimer <fweimer@redhat.com>,
        Oleg Nesterov <oleg@redhat.com>,
        James Morris <jmorris@namei.org>,
        Linux MM <linux-mm@kvack.org>,
        SElinux list <selinux@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        stable <stable@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel-team <kernel-team@android.com>
In-Reply-To: <CAJuCfpHDtu0R6zZ0uo0YZgCE=dyhy6bsToUU2+reo3pBV0PcBg@mail.gmail.com>
To:     Suren Baghdasaryan <surenb@google.com>
X-Mailer: iPhone Mail (18D52)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> Am 05.03.2021 um 19:36 schrieb Suren Baghdasaryan <surenb@google.com>:
>=20
> =EF=BB=BFOn Fri, Mar 5, 2021 at 10:23 AM David Hildenbrand <david@redhat.c=
om> wrote:
>>=20
>>> On 05.03.21 19:08, Suren Baghdasaryan wrote:
>>> On Fri, Mar 5, 2021 at 9:52 AM David Hildenbrand <david@redhat.com> wrot=
e:
>>>>=20
>>>> On 05.03.21 18:45, Shakeel Butt wrote:
>>>>> On Fri, Mar 5, 2021 at 9:37 AM David Hildenbrand <david@redhat.com> wr=
ote:
>>>>>>=20
>>>>>> On 04.03.21 01:03, Shakeel Butt wrote:
>>>>>>> On Wed, Mar 3, 2021 at 3:34 PM Suren Baghdasaryan <surenb@google.com=
> wrote:
>>>>>>>>=20
>>>>>>>> On Wed, Mar 3, 2021 at 3:17 PM Shakeel Butt <shakeelb@google.com> w=
rote:
>>>>>>>>>=20
>>>>>>>>> On Wed, Mar 3, 2021 at 10:58 AM Suren Baghdasaryan <surenb@google.=
com> wrote:
>>>>>>>>>>=20
>>>>>>>>>> process_madvise currently requires ptrace attach capability.
>>>>>>>>>> PTRACE_MODE_ATTACH gives one process complete control over anothe=
r
>>>>>>>>>> process. It effectively removes the security boundary between the=

>>>>>>>>>> two processes (in one direction). Granting ptrace attach capabili=
ty
>>>>>>>>>> even to a system process is considered dangerous since it creates=
 an
>>>>>>>>>> attack surface. This severely limits the usage of this API.
>>>>>>>>>> The operations process_madvise can perform do not affect the corr=
ectness
>>>>>>>>>> of the operation of the target process; they only affect where th=
e data
>>>>>>>>>> is physically located (and therefore, how fast it can be accessed=
).
>>>>>>>>>> What we want is the ability for one process to influence another p=
rocess
>>>>>>>>>> in order to optimize performance across the entire system while l=
eaving
>>>>>>>>>> the security boundary intact.
>>>>>>>>>> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ=

>>>>>>>>>> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metada=
ta
>>>>>>>>>> and CAP_SYS_NICE for influencing process performance.
>>>>>>>>>>=20
>>>>>>>>>> Cc: stable@vger.kernel.org # 5.10+
>>>>>>>>>> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
>>>>>>>>>> Reviewed-by: Kees Cook <keescook@chromium.org>
>>>>>>>>>> Acked-by: Minchan Kim <minchan@kernel.org>
>>>>>>>>>> Acked-by: David Rientjes <rientjes@google.com>
>>>>>>>>>> ---
>>>>>>>>>> changes in v3
>>>>>>>>>> - Added Reviewed-by: Kees Cook <keescook@chromium.org>
>>>>>>>>>> - Created man page for process_madvise per Andrew's request: http=
s://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=3Da144f45=
8bad476a3358e3a45023789cb7bb9f993
>>>>>>>>>> - cc'ed stable@vger.kernel.org # 5.10+ per Andrew's request
>>>>>>>>>> - cc'ed linux-security-module@vger.kernel.org per James Morris's r=
equest
>>>>>>>>>>=20
>>>>>>>>>>    mm/madvise.c | 13 ++++++++++++-
>>>>>>>>>>    1 file changed, 12 insertions(+), 1 deletion(-)
>>>>>>>>>>=20
>>>>>>>>>> diff --git a/mm/madvise.c b/mm/madvise.c
>>>>>>>>>> index df692d2e35d4..01fef79ac761 100644
>>>>>>>>>> --- a/mm/madvise.c
>>>>>>>>>> +++ b/mm/madvise.c
>>>>>>>>>> @@ -1198,12 +1198,22 @@ SYSCALL_DEFINE5(process_madvise, int, pid=
fd, const struct iovec __user *, vec,
>>>>>>>>>>                   goto release_task;
>>>>>>>>>>           }
>>>>>>>>>>=20
>>>>>>>>>> -       mm =3D mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
>>>>>>>>>> +       /* Require PTRACE_MODE_READ to avoid leaking ASLR metadat=
a. */
>>>>>>>>>> +       mm =3D mm_access(task, PTRACE_MODE_READ_FSCREDS);
>>>>>>>>>>           if (IS_ERR_OR_NULL(mm)) {
>>>>>>>>>>                   ret =3D IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
>>>>>>>>>>                   goto release_task;
>>>>>>>>>>           }
>>>>>>>>>>=20
>>>>>>>>>> +       /*
>>>>>>>>>> +        * Require CAP_SYS_NICE for influencing process performan=
ce. Note that
>>>>>>>>>> +        * only non-destructive hints are currently supported.
>>>>>>>>>=20
>>>>>>>>> How is non-destructive defined? Is MADV_DONTNEED non-destructive?
>>>>>>>>=20
>>>>>>>> Non-destructive in this context means the data is not lost and can b=
e
>>>>>>>> recovered. I follow the logic described in
>>>>>>>> https://lwn.net/Articles/794704/ where Minchan was introducing
>>>>>>>> MADV_COLD and MADV_PAGEOUT as non-destructive versions of MADV_FREE=

>>>>>>>> and MADV_DONTNEED. Following that logic, MADV_FREE and MADV_DONTNEE=
D
>>>>>>>> would be considered destructive hints.
>>>>>>>> Note that process_madvise_behavior_valid() allows only MADV_COLD an=
d
>>>>>>>> MADV_PAGEOUT at the moment, which are both non-destructive.
>>>>>>>>=20
>>>>>>>=20
>>>>>>> There is a plan to support MADV_DONTNEED for this syscall. Do we nee=
d
>>>>>>> to change these access checks again with that support?
>>>>>>=20
>>>>>> Eh, I absolutely don't think letting another process discard memory i=
n
>>>>>> another process' address space is a good idea. The target process can=

>>>>>> observe that easily and might even run into real issues.
>>>>>>=20
>>>>>> What's the use case?
>>>>>>=20
>>>>>=20
>>>>> Userspace oom reaper. Please look at
>>>>> https://lore.kernel.org/linux-api/20201014183943.GA1489464@google.com/=
T/
>>>>>=20
>>>>=20
>>>> Thanks, somehow I missed that (not that it really changed my opinion on=

>>>> the approach while skimming over the discussion :) will have a more
>>>> detailed look)
>>>=20
>>> The latest version of that patchset is:
>>> https://lore.kernel.org/patchwork/patch/1344419/
>>> Yeah, memory reaping is a special case when we are operating on a
>>> dying process to speed up the release of its memory. I don't know if
>>> for that particular case we need to make the checks stricter. It's a
>>> dying process anyway and the data is being destroyed. Allowing to
>>> speed up that process probably can still use CAP_SYS_NICE.
>>=20
>> I know, unrelated discussion (sorry, I don't have above thread in my
>> archive anymore due to automatic cleanups ...) , but introducing
>> MADV_DONTEED on a remote processes, having to tweak range logic because
>> we always want to apply it to the whole MM, just to speed up memory
>> reaping sounds like completely abusing madvise()/process_madvise() to me.=

>>=20
>> You want different semantics than MADV_DONTNEED. You want different
>> semantics than madvise.
>>=20
>> Simple example: mlock()ed pages in the target process. MADV_DONTNEED
>> would choke on that. For the use case of reaping, you certainly don't car=
e.
>>=20
>> I am not sure if process_madvise() is the right interface to enforce
>> discarding of all target memory.
>>=20
>>=20
>> Not to mention that MADV_FREE doesn't make any sense IMHO for memory
>> reaping ... no to mention exposing this via process_madvise().
>=20
> Yeah, that was the last comment from Christoph Hellwig on
> https://lore.kernel.org/patchwork/patch/1344418/
> I'll be rethinking the whole approach. Previously I proposed couple
> different approaches that would make reaping a part of the kill by
> adding a new flag for pidfd_send_signal:
> https://lore.kernel.org/patchwork/patch/1338196/
> https://lore.kernel.org/patchwork/patch/1060407/
> but maybe a separate syscall for reaping is indeed the right way to go...

Yeah, most likely!

>=20