linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Colm MacCárthaigh" <colm@allcosts.net>
To: Michal Hocko <mhocko@kernel.org>
Cc: Rik van Riel <riel@redhat.com>,
	linux-kernel@vger.kernel.org,
	Mike Kravetz <mike.kravetz@oracle.com>,
	linux-mm@kvack.org, Florian Weimer <fweimer@redhat.com>,
	akpm@linux-foundation.org, Kees Cook <keescook@chromium.org>,
	luto@amacapital.net, Will Drewry <wad@chromium.org>,
	mingo@kernel.org, kirill@shutemov.name, dave.hansen@intel.com,
	linux-api@vger.kernel.org
Subject: Re: [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK
Date: Thu, 10 Aug 2017 15:23:05 +0200	[thread overview]
Message-ID: <CAAF6GDc2hsj-XJj=Rx2ZF6Sh3Ke6nKewABXfqQxQjfDd5QN7Ug@mail.gmail.com> (raw)
In-Reply-To: <20170810130531.GS23863@dhcp22.suse.cz>

On Thu, Aug 10, 2017 at 3:05 PM, Michal Hocko <mhocko@kernel.org> wrote:
>> Too late for that. VM_DONTFORK is already implemented
>> through MADV_DONTFORK & MADV_DOFORK, in a way that is
>> very similar to the MADV_WIPEONFORK from these patches.
>
> Yeah, those two seem to be breaking the "madvise as an advise" semantic as
> well but that doesn't mean we should follow that pattern any further.

I would imagine that many of the crypto applications using
MADV_WIPEONFORK will also be using MADV_DONTDUMP. In cases where it's
for protecting secret keys, I'd like to use both in my code, for
example. Though that doesn't really help decide this.

There is also at least one case for being able to turn WIPEONFORK
on/off with an existing page; a process that uses privilege separation
often goes through the following flow:

1. [ Access privileged keys as a power user and initialize memory ]
2. [ Fork a child process that actually does the work ]
3. [ Child drops privileges and uses the memory to do work ]
4. [ Parent hangs around to re-spawn a child if it crashes ]

In that mode it would be convenient to be able to mark the memory as
WIPEONFORK in the child, but not the parent.

-- 
Colm

  reply	other threads:[~2017-08-10 13:23 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-06 14:04 [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK riel
2017-08-06 14:04 ` [PATCH 1/2] x86,mpx: make mpx depend on x86-64 to free up VMA flag riel
2017-08-06 14:04 ` [PATCH 2/2] mm,fork: introduce MADV_WIPEONFORK riel
2017-08-10 15:23   ` Michal Hocko
2017-08-11 15:23     ` Rik van Riel
2017-08-11 16:36       ` Mike Kravetz
2017-08-11 16:59         ` Rik van Riel
2017-08-11 17:07           ` Mike Kravetz
2017-08-07 13:22 ` [PATCH v2 0/2] mm,fork,security: " Michal Hocko
2017-08-07 13:46   ` Michal Hocko
2017-08-07 14:19     ` Florian Weimer
2017-08-10 13:06       ` Michal Hocko
2017-08-07 14:59     ` Rik van Riel
2017-08-09  9:59       ` Kirill A. Shutemov
2017-08-09 12:31         ` Rik van Riel
2017-08-09 12:42         ` Florian Weimer
2017-08-10 13:05       ` Michal Hocko
2017-08-10 13:23         ` Colm MacCárthaigh [this message]
2017-08-10 15:36           ` Michal Hocko
     [not found]             ` <CAAF6GDeno6RpHf1KORVSxUL7M-CQfbWFFdyKK8LAWd_6PcJ55Q@mail.gmail.com>
2017-08-10 17:01               ` Michal Hocko
2017-08-10 22:09                 ` Colm MacCárthaigh
2017-08-11 14:06                   ` Michal Hocko
2017-08-11 14:11                     ` Florian Weimer
2017-08-11 14:24                       ` Michal Hocko
2017-08-11 15:24                         ` Florian Weimer
2017-08-11 15:31                           ` Michal Hocko
     [not found]     ` <CAAF6GDcNoDUaDSxV6N12A_bOzo8phRUX5b8-OBteuN0AmeCv0g@mail.gmail.com>
2017-08-07 16:02       ` Colm MacCárthaigh
2017-08-10 13:21       ` Michal Hocko
2017-08-10 14:11         ` Michal Hocko
2017-08-07 18:23 ` Mike Kravetz
2017-08-08  9:58   ` Florian Weimer
2017-08-08 13:15     ` Rik van Riel
2017-08-08 15:19       ` Mike Kravetz
2017-08-08 15:22         ` Florian Weimer
2017-08-08 15:46         ` Rik van Riel
2017-08-08 16:48           ` Colm MacCárthaigh
2017-08-08 16:52           ` Matthew Wilcox
2017-08-08 18:45             ` Rik van Riel
2017-08-10 15:31               ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAF6GDc2hsj-XJj=Rx2ZF6Sh3Ke6nKewABXfqQxQjfDd5QN7Ug@mail.gmail.com' \
    --to=colm@allcosts.net \
    --cc=akpm@linux-foundation.org \
    --cc=dave.hansen@intel.com \
    --cc=fweimer@redhat.com \
    --cc=keescook@chromium.org \
    --cc=kirill@shutemov.name \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@amacapital.net \
    --cc=mhocko@kernel.org \
    --cc=mike.kravetz@oracle.com \
    --cc=mingo@kernel.org \
    --cc=riel@redhat.com \
    --cc=wad@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).