linux-api.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: Suren Baghdasaryan <surenb@google.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
	"Jann Horn" <jannh@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Jeffrey Vander Stoep" <jeffv@google.com>,
	"Minchan Kim" <minchan@kernel.org>,
	"Shakeel Butt" <shakeelb@google.com>,
	"David Rientjes" <rientjes@google.com>,
	"Edgar Arriaga García" <edgararriaga@google.com>,
	"Tim Murray" <timmurray@google.com>,
	linux-mm <linux-mm@kvack.org>,
	selinux@vger.kernel.org, "Linux API" <linux-api@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	kernel-team <kernel-team@android.com>,
	"Oleg Nesterov" <oleg@redhat.com>
Subject: Re: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for process_madvise
Date: Wed, 13 Jan 2021 15:19:32 +0100	[thread overview]
Message-ID: <20210113141932.GB22493@dhcp22.suse.cz> (raw)
In-Reply-To: <CAJuCfpHazLXJ1rpJQ+w9=8-O==rzz3yEVuVtSn-sYMS+a3FoXQ@mail.gmail.com>

On Tue 12-01-21 10:12:03, Suren Baghdasaryan wrote:
> On Mon, Jan 11, 2021 at 11:46 PM Michal Hocko <mhocko@suse.com> wrote:
> >
> > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote:
> > > process_madvise currently requires ptrace attach capability.
> > > PTRACE_MODE_ATTACH gives one process complete control over another
> > > process. It effectively removes the security boundary between the
> > > two processes (in one direction). Granting ptrace attach capability
> > > even to a system process is considered dangerous since it creates an
> > > attack surface. This severely limits the usage of this API.
> > > The operations process_madvise can perform do not affect the correctness
> > > of the operation of the target process; they only affect where the data
> > > is physically located (and therefore, how fast it can be accessed).
> >
> > Yes it doesn't influence the correctness but it is still a very
> > sensitive operation because it can allow a targeted side channel timing
> > attacks so we should be really careful.
> 
> Sorry, I missed this comment in my answer. Possibility of affecting
> the target's performance including side channel attack is why we
> require CAP_SYS_NICE.

OK. It would be really good to document that in the man page. From the
current wording it seems we already rely on this cap for migration on a
remote process which is not the same thing but it roughly falls into the
similar category.
-- 
Michal Hocko
SUSE Labs

  reply	other threads:[~2021-01-13 14:20 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-11 17:06 [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for process_madvise Suren Baghdasaryan
2021-01-11 18:33 ` Kees Cook
2021-01-12  1:22 ` Andrew Morton
2021-01-12 17:36   ` Suren Baghdasaryan
2021-01-12  7:46 ` Michal Hocko
2021-01-12 17:45   ` Oleg Nesterov
2021-01-12 17:51     ` Suren Baghdasaryan
2021-01-13 14:22       ` Michal Hocko
2021-01-13 18:08         ` Suren Baghdasaryan
2021-01-20 13:17         ` Jann Horn
2021-01-20 16:57           ` Suren Baghdasaryan
2021-01-20 20:46             ` Suren Baghdasaryan
2021-01-26 13:52           ` Michal Hocko
2021-01-28 19:51             ` Suren Baghdasaryan
2021-01-29  7:08               ` Suren Baghdasaryan
2021-02-02  5:34                 ` Suren Baghdasaryan
2021-03-02 23:53                   ` Suren Baghdasaryan
2021-03-03  0:17                     ` Andrew Morton
2021-03-03  0:19                       ` Suren Baghdasaryan
2021-03-03 19:00                         ` Suren Baghdasaryan
2021-01-12 18:12   ` Suren Baghdasaryan
2021-01-13 14:19     ` Michal Hocko [this message]
2021-01-20  5:01 ` James Morris
2021-01-20 16:49   ` Suren Baghdasaryan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210113141932.GB22493@dhcp22.suse.cz \
    --to=mhocko@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=edgararriaga@google.com \
    --cc=jannh@google.com \
    --cc=jeffv@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-team@android.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=minchan@kernel.org \
    --cc=oleg@redhat.com \
    --cc=rientjes@google.com \
    --cc=selinux@vger.kernel.org \
    --cc=shakeelb@google.com \
    --cc=surenb@google.com \
    --cc=timmurray@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).