From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8E79C33CA9 for ; Mon, 13 Jan 2020 21:05:25 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8F58724672 for ; Mon, 13 Jan 2020 21:05:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pywZLKqd" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8F58724672 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 3FCE68E0005; Mon, 13 Jan 2020 16:05:25 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3D59B8E0003; Mon, 13 Jan 2020 16:05:25 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 312F48E0005; Mon, 13 Jan 2020 16:05:25 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 1B7A88E0003 for ; Mon, 13 Jan 2020 16:05:25 -0500 (EST) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id B896E2490 for ; Mon, 13 Jan 2020 21:05:24 +0000 (UTC) X-FDA: 76373841768.01.scene89_4c492577ff71a X-HE-Tag: scene89_4c492577ff71a X-Filterd-Recvd-Size: 5538 Received: from mail-lj1-f195.google.com (mail-lj1-f195.google.com [209.85.208.195]) by imf19.hostedemail.com (Postfix) with ESMTP for ; Mon, 13 Jan 2020 21:05:24 +0000 (UTC) Received: by mail-lj1-f195.google.com with SMTP id a13so11724102ljm.10 for ; Mon, 13 Jan 2020 13:05:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/u5MUGVpDUAbfDbLeEsPX6aUptgWMsZ6OpMkOdaH+A4=; b=pywZLKqdxPfExS0SnABaJ4aTlQdAJxvMIPcUiv09kBnxMbRddIefk6L+AZtCxKjWgA liHsrkFRC3T9RBzdlmOhUVoaEwJ5JAUBmXvh78E0up26nPZ4ijaFW8mUbjAFWyB2kxi1 edgeWwJ3faA3x9NLcDaEa0gXbEXEgCF6iZ12xGf4x2B1oR62JNenKpXiDsinOqybcBL/ 5z60/LxPmvRsfacCOOyvejl2NFaOXDPWX6k8QKvbmBf8vjXLe2Nc/I6MAqALAeeOUOB3 5OC/2iiijXYynwhr1LtgfBkelfr6L54T3rAd02/rrhUTlSv2CTl04r7b6+dIP+dzetEf HUpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/u5MUGVpDUAbfDbLeEsPX6aUptgWMsZ6OpMkOdaH+A4=; b=nXVq3il9s+04zeEfW8ngVSALwk4dtKkhotzELIz6sf+oFTYIbm3vK8ZvdyToECN+bQ G1dDeLv9gW3+npyiyzmf6afM0wTpRYxk03c8QEheM85J/3p8BjNHm3HvoNb+gKvFtg1u 3x7a+hqdCYu6H+KH6Jdp/yRcFfto8iqZ9NqTVokWCipDa33HHS/RTgdxYYSfQ05pJrGp FZo9rdO4mkQfTd9CyP6JLIDhfacwn94974HB0jSZ1DCgPoZLKABEo4wAJObt5CXuww6U hJk5krFSq1dYDNvjtPXH7H3qDCnw+YCswBfK+z0lZuerlx819UOot67nkb6slhr4iO7M p7yA== X-Gm-Message-State: APjAAAVHnNHKFfokDowEu9PaVBoME4TKMSE78UTm6IwApFtj4UbOVHsT xUCQhUhkh13WmAdJmf3VnNw98bvJxLsqR74W1Bumng== X-Google-Smtp-Source: APXvYqzQfqC3NRhrk3Zbw6Vxs6CF1OSy/YynDWKFCf4ieKNe8SG3O6+EGYSzBmYNgwrdJR5te76K8Vzy42PCS745ObY= X-Received: by 2002:a2e:884d:: with SMTP id z13mr12351302ljj.116.1578949522306; Mon, 13 Jan 2020 13:05:22 -0800 (PST) MIME-Version: 1.0 References: <20200110213433.94739-1-minchan@kernel.org> <20200110213433.94739-3-minchan@kernel.org> <56ea0927-ad2e-3fbd-3366-3813330f6cec@virtuozzo.com> <20200113104256.5ujbplyec2sk4onn@wittgenstein> <20200113184408.GD110363@google.com> <20200113191046.2tidyvc544zvchek@wittgenstein> <20200113204237.ew6nn4ohxu7auw3u@wittgenstein> In-Reply-To: <20200113204237.ew6nn4ohxu7auw3u@wittgenstein> From: Daniel Colascione Date: Mon, 13 Jan 2020 13:04:44 -0800 Message-ID: Subject: Re: [PATCH 2/4] mm: introduce external memory hinting API To: Christian Brauner Cc: Minchan Kim , Kirill Tkhai , Michal Hocko , Andrew Morton , LKML , linux-mm , Linux API , oleksandr@redhat.com, Suren Baghdasaryan , Tim Murray , Sandeep Patil , Sonny Rao , Brian Geffon , Johannes Weiner , Shakeel Butt , John Dias Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Jan 13, 2020 at 12:42 PM Christian Brauner wrote: > > On Mon, Jan 13, 2020 at 11:27:03AM -0800, Daniel Colascione wrote: > > On Mon, Jan 13, 2020 at 11:10 AM Christian Brauner > > wrote: > > > This does not > > > affect the permission checking you're performing here. > > > > Pidfds-as-capabilities sounds like a good change. Can you clarify what > > you mean here though? Do you mean that in order to perform some > > process-directed operation X on process Y, the pidfd passed to X must > > have been opened with PIDFD_CAP_X *and* the process *using* the pidfds > > must be able to perform operation X on process Y? Or do pidfds in this > > model "carry" permissions in the same way that an ordinary file > > descriptor "carries" the ability to write to a file if it was opened > > with O_WRONLY even if the FD is passed to a process that couldn't > > otherwise write to that file? Right now, pidfds are identity-only and > > always rely on the caller's permissions. I like the capability bit > > model because it makes pidfds more consistent with other file > > descriptors and enabled delegation of capabilities across the system. > > I'm going back and forth on this. My initial implementation has it that > you'd need both, PIDFD_FLAG/CAP_X and the process using the pidfd must > be able to perform the operation X on process Y. The alternative becomes > tricky for e.g. anything that requires ptrace_may_access() permissions > such as getting an fd out from another task based on its pidfd and so > on. I think the alternative is necessary though. What's the point of the pidfd capability bits if they don't grant access? If I have a pidfd for Y that doesn't let me do operation X, but I have ambient authority to do Y anyway, then I can just make my own pidfd for Y and then use that new pidfd to do X. AFAICT, pidfd capabilities only do something when they replace ptrace_may_access and friends for access control. Otherwise, they seem purely advisory. Am I missing something?