lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jan 2021 14:15:37 -0800 From: Minchan Kim <minchan@...nel.org> To: Suren Baghdasaryan <surenb@...gle.com> Cc: akpm@...ux-foundation.org, jannh@...gle.com, keescook@...omium.org, jeffv@...gle.com, mhocko@...e.com, shakeelb@...gle.com, rientjes@...gle.com, edgararriaga@...gle.com, timmurray@...gle.com, linux-mm@...ck.org, selinux@...r.kernel.org, linux-api@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-team@...roid.com Subject: Re: [PATCH 1/1] mm/madvise: replace ptrace attach requirement for process_madvise On Fri, Jan 08, 2021 at 12:58:57PM -0800, Suren Baghdasaryan wrote: > process_madvise currently requires ptrace attach capability. > PTRACE_MODE_ATTACH gives one process complete control over another > process. It effectively removes the security boundary between the > two processes (in one direction). Granting ptrace attach capability > even to a system process is considered dangerous since it creates an > attack surface. This severely limits the usage of this API. > The operations process_madvise can perform do not affect the correctness > of the operation of the target process; they only affect where the data > is physically located (and therefore, how fast it can be accessed). > What we want is the ability for one process to influence another process > in order to optimize performance across the entire system while leaving > the security boundary intact. > Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ > and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata > and CAP_SYS_NICE for influencing process performance. > > Signed-off-by: Suren Baghdasaryan <surenb@...gle.com> It sounds logical to me. If security folks don't see any concern and fix below, Acked-by: Minchan Kim <minchan@...nel.org> > @@ -1197,12 +1197,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, > goto release_task; > } > > - mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS); > + /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */ > + mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); > if (IS_ERR_OR_NULL(mm)) { > ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; > goto release_task; > } > > + /* > + * Require CAP_SYS_NICE for influencing process performance. Note that > + * only non-destructive hints are currently supported. > + */ > + if (!capable(CAP_SYS_NICE)) { > + ret = -EPERM; > + goto release_task; mmput? > + } > + > total_len = iov_iter_count(&iter); > > while (iov_iter_count(&iter)) { > -- > 2.30.0.284.gd98b1dd5eaa7-goog >
Powered by blists - more mailing lists