RE: [RFC PATCH v1 1/4] mm/remote_mapping: mirror a process address space
From: Mircea CIRJALIU - MELIU
Date: Wed Dec 11 2019 - 12:05:00 EST
> On Wed, Dec 11, 2019 at 09:29:17AM +0000, Mircea CIRJALIU - MELIU wrote:
> > Use a device to inspect another process address space via page table
> > Give this device a source process PID via an ioctl(), then use mmap()
> > to analyze the source process address space like an ordinary file.
> > Process address space mirroring is limited to anon VMAs.
> > The device mirrors page tables on demand (faults) and invalidates them
> > by listening to MMU notifier events.
> It's way to brief to justify the new interface. Use cases? Why current
> intefaces are not enough?
Its main purpose is virtual machine instrospection.
Could also be used for security software, debuggers, etc.
It gains direct access to another process address space by mirroring its page
tables to the local process address space.
The main difference from ptrace is zero-copy read/write.
The use case looks like this:
fd = open("/dev/mirror-proc", O_RDWR);
/* hook on process 1234 */
ioctl(fd, REMOTE_PROC_MAP, 1234);
addr = mmap(NULL, length, PROT_READ | PROT_WRITE, MAP_SHARED, fd, offset);
/* operate on memory of process 1234 */
The address space mirroring is done in a VMA with VM_PFNMAP attributes.
The PFNs are installed in the fault handlers and invalidated via MMU notifier.
So no page management structures are involved.
Observe that the introspector process can mmap() very large regions from
the source process address space, sometimes involving holes. If no page is
found at a given address, the introspector gets a SIGBUS.
> There's nothing in the description that would convince me to look at the
> Kirill A. Shutemov