[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210113141932.GB22493@dhcp22.suse.cz>
Date: Wed, 13 Jan 2021 15:19:32 +0100
From: Michal Hocko <mhocko@...e.com>
To: Suren Baghdasaryan <surenb@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Jann Horn <jannh@...gle.com>,
Kees Cook <keescook@...omium.org>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Minchan Kim <minchan@...nel.org>,
Shakeel Butt <shakeelb@...gle.com>,
David Rientjes <rientjes@...gle.com>,
Edgar Arriaga GarcĂa
<edgararriaga@...gle.com>, Tim Murray <timmurray@...gle.com>,
linux-mm <linux-mm@...ck.org>, selinux@...r.kernel.org,
Linux API <linux-api@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
kernel-team <kernel-team@...roid.com>,
Oleg Nesterov <oleg@...hat.com>
Subject: Re: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for
process_madvise
On Tue 12-01-21 10:12:03, Suren Baghdasaryan wrote:
> On Mon, Jan 11, 2021 at 11:46 PM Michal Hocko <mhocko@...e.com> wrote:
> >
> > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote:
> > > process_madvise currently requires ptrace attach capability.
> > > PTRACE_MODE_ATTACH gives one process complete control over another
> > > process. It effectively removes the security boundary between the
> > > two processes (in one direction). Granting ptrace attach capability
> > > even to a system process is considered dangerous since it creates an
> > > attack surface. This severely limits the usage of this API.
> > > The operations process_madvise can perform do not affect the correctness
> > > of the operation of the target process; they only affect where the data
> > > is physically located (and therefore, how fast it can be accessed).
> >
> > Yes it doesn't influence the correctness but it is still a very
> > sensitive operation because it can allow a targeted side channel timing
> > attacks so we should be really careful.
>
> Sorry, I missed this comment in my answer. Possibility of affecting
> the target's performance including side channel attack is why we
> require CAP_SYS_NICE.
OK. It would be really good to document that in the man page. From the
current wording it seems we already rely on this cap for migration on a
remote process which is not the same thing but it roughly falls into the
similar category.
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists