Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged

From: Jiri Kosina
Date: Sat Jan 05 2019 - 14:24:07 EST


On Sat, 5 Jan 2019, Vlastimil Babka wrote:

> > There are possibilities [1] how mincore() could be used as a converyor of
> > a sidechannel information about pagecache metadata.
> >
> > Provide vm.mincore_privileged sysctl, which makes it possible to mincore()
> > start returning -EPERM in case it's invoked by a process lacking
> > CAP_SYS_ADMIN.
>
> Haven't checked the details yet, but wouldn't it be safe if anonymous private
> mincore() kept working, and restrictions were applied only to page cache?

I was considering that, but then I decided not to do so, as that'd make
the interface even more confusing and semantics non-obvious in the
'privileged' case.

> > The default behavior stays "mincore() can be used by anybody" in order to
> > be conservative with respect to userspace behavior.
>
> What if we lied instead of returned -EPERM, to not break userspace so
> obviously? I guess false positive would be the safer lie?

So your proposal basically would be

if (privileged && !CAP_SYS_ADMIN)
if (pagecache)
return false;
else
return do_mincore()

right ?

I think userspace would hate us for that semantics, but on the other hand
I can sort of understand the 'mincore() is racy anyway, so what' argument,
if that's what you are suggesting.

But then, I have no idea what userspace is using mincore() for.
https://codesearch.debian.net/search?q=mincore might provide some insight
I guess (thanks Matthew).

--
Jiri Kosina
SUSE Labs