From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A3FEC43387 for ; Sat, 5 Jan 2019 19:38:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4AB43222FE for ; Sat, 5 Jan 2019 19:38:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726330AbfAETid (ORCPT ); Sat, 5 Jan 2019 14:38:33 -0500 Received: from mx2.suse.de ([195.135.220.15]:34578 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726282AbfAETid (ORCPT ); Sat, 5 Jan 2019 14:38:33 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 3E470AEB8; Sat, 5 Jan 2019 19:38:32 +0000 (UTC) Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged To: Jiri Kosina Cc: Linus Torvalds , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org References: From: Vlastimil Babka Message-ID: Date: Sat, 5 Jan 2019 20:38:31 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5.1.2019 20:24, Jiri Kosina wrote: > On Sat, 5 Jan 2019, Vlastimil Babka wrote: > >>> There are possibilities [1] how mincore() could be used as a converyor of >>> a sidechannel information about pagecache metadata. >>> >>> Provide vm.mincore_privileged sysctl, which makes it possible to mincore() >>> start returning -EPERM in case it's invoked by a process lacking >>> CAP_SYS_ADMIN. >> >> Haven't checked the details yet, but wouldn't it be safe if anonymous private >> mincore() kept working, and restrictions were applied only to page cache? > > I was considering that, but then I decided not to do so, as that'd make > the interface even more confusing and semantics non-obvious in the > 'privileged' case. > >>> The default behavior stays "mincore() can be used by anybody" in order to >>> be conservative with respect to userspace behavior. >> >> What if we lied instead of returned -EPERM, to not break userspace so >> obviously? I guess false positive would be the safer lie? > > So your proposal basically would be > > if (privileged && !CAP_SYS_ADMIN) > if (pagecache) > return false; I was thinking about "return true" here, assuming that userspace generally wants to ensure itself there won't be page faults when it starts doing something critical, and if it sees a "false" it will try to do some kind of prefaulting, possibly in a loop. There might be somebody trying to make sure something is out of pagecache (it wants to see "false"), but can't think of anything except benchmarks? > else > return do_mincore() > > right ? > > I think userspace would hate us for that semantics, but on the other hand > I can sort of understand the 'mincore() is racy anyway, so what' argument, > if that's what you are suggesting. > > But then, I have no idea what userspace is using mincore() for. > https://codesearch.debian.net/search?q=mincore might provide some insight > I guess (thanks Matthew). >