From patchwork Fri Oct 21 22:32:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zach O'Keefe X-Patchwork-Id: 13015560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF924C433FE for ; Fri, 21 Oct 2022 22:33:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7C6618E0007; Fri, 21 Oct 2022 18:33:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 728C18E0001; Fri, 21 Oct 2022 18:33:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 52E468E0007; Fri, 21 Oct 2022 18:33:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 3F8168E0001 for ; Fri, 21 Oct 2022 18:33:16 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 11F5740A11 for ; Fri, 21 Oct 2022 22:33:16 +0000 (UTC) X-FDA: 80046408792.30.514379B Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) by imf13.hostedemail.com (Postfix) with ESMTP id A59392001B for ; Fri, 21 Oct 2022 22:33:15 +0000 (UTC) Received: by mail-pl1-f202.google.com with SMTP id m3-20020a170902bb8300b0017f7e7e4385so2398080pls.20 for ; Fri, 21 Oct 2022 15:33:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=2mfLSi9N+JZYnQf9EtD/iIl2pLa/hOhtVxEVkuJcdM8=; b=lle+N5TrpCI1LNnjia1zJiidMB+e23mByhA6yA8Vit77UUdoQYM+pwQoiVsTaYTKyT N4oaZiegEhXqpWIdopwuN4BNJfgSeQ759NCA6ON9MwhxIxGVTg/jQ2646la3DV6DFDKa 6HvoFVNZiRwKbAqBW74PRLN4JlbW4hhTOmfdpsyiJ0OKudLFy++cBVyGOEj5WNJlljXd wABZ0t+Q6fb7c9S8a8xYGx1boByY+WGIiPGBL6lSnPDdf9LnoRtZTtk2mHw9Aqk4dgLQ DQBlnegZ+rTSY0xoPJU35qcOt+nFV8OWm6dr3zrMQ0o6STzWhYG6uWDRb40eMAnsWgbs gAgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2mfLSi9N+JZYnQf9EtD/iIl2pLa/hOhtVxEVkuJcdM8=; b=brVCAI9sf1SXy1Ym/PEl1pNCi201EupWtic1G1bAx/3ysVbaxCzpD8H/apnlpmAPPc Di9qXBRxmVJYlZfUK81Kg/dPs+Q/wU20+9ZoiJ0I4mSyfkiM0XgMQ4sUIA5k2qJzRW91 9KxBTR9bPO7Ud+rMSoQykqw+eafY2o39d6h6Iht3qW5RqkOW9MQuEWkohpnuvp7TdTWX JsEl4OzWvGra96yasWMYQ4aOI11ZsPbepKnW8dMag9mWxUp7BdjpoDrEGeVxnpZ8i/Uh mUZjW4A1AB3kFnTjNf0IMO8suwKZPbPft2qE36jdvNr3440wWTgNA8l3WafruzCxlEis JUmg== X-Gm-Message-State: ACrzQf3h7KbYxltd7D5nyASzg5Re/eznuNbTNB1Eq05Jv7V8i1qYzQlR 5MONoSyfsfb2yA9bV/cGQOIcoY9n9glT X-Google-Smtp-Source: AMsMyM7ykWOvJQhnYq5jJgK0UIS3OByEZBiFkO+t8lJMkUXraxyk1KUhcnhVDNpBp0OeeK7nYEVmNP4GhzH8 X-Received: from zokeefe3.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:1b6]) (user=zokeefe job=sendgmr) by 2002:a17:903:24e:b0:179:b755:b82f with SMTP id j14-20020a170903024e00b00179b755b82fmr20595013plh.34.1666391594831; Fri, 21 Oct 2022 15:33:14 -0700 (PDT) Date: Fri, 21 Oct 2022 15:32:59 -0700 In-Reply-To: <20221021223300.3675201-1-zokeefe@google.com> Mime-Version: 1.0 References: <20221021223300.3675201-1-zokeefe@google.com> X-Mailer: git-send-email 2.38.0.135.g90850a2211-goog Message-ID: <20221021223300.3675201-4-zokeefe@google.com> Subject: [PATCH man-pages v3 3/4] process_madvise.2: fix capability and ptrace requirements From: Zach OKeefe To: Alejandro Colomar , Michael Kerrisk Cc: Yang Shi , linux-mm@kvack.org, linux-man@vger.kernel.org, "Zach O'Keefe" , Suren Baghdasaryan , Minchan Kim ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666391595; a=rsa-sha256; cv=none; b=C6mXGvtdK+MTyrRmC8J4G4glqZsCeQA6Y8PjE/yfp+ozVST9j7xUgIgphhn8uPpbWbtpFK 2yvBgMFaOQ3ib3lIhux8oydh6v26vK8HZrRwMZ5QEVVhuiZkl1briFGcAUgZgNsNnsaBmu 5qMGt4lMAHVO/FZ24kkaG2PqP96Zus8= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=lle+N5Tr; spf=pass (imf13.hostedemail.com: domain of 3Kh5TYwcKCNMOD933435DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--zokeefe.bounces.google.com designates 209.85.214.202 as permitted sender) smtp.mailfrom=3Kh5TYwcKCNMOD933435DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--zokeefe.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666391595; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2mfLSi9N+JZYnQf9EtD/iIl2pLa/hOhtVxEVkuJcdM8=; b=AbRlS2mQyVXMIQ9653wE3I5z22Bri7OvDtODt+kQhUOA7y/WzewiXLQb2DkpnZK9bpxaEc mLbaqHnlzpdRiQ1C5qhwkATa+4H1M0TD4iyZh+qIQ5l2YGY9nNHQ0ysV/MqJNLcPrbDaxe 8A7o3Zw6RxhBM+XJipWIopH4ZL8QxD4= Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=lle+N5Tr; spf=pass (imf13.hostedemail.com: domain of 3Kh5TYwcKCNMOD933435DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--zokeefe.bounces.google.com designates 209.85.214.202 as permitted sender) smtp.mailfrom=3Kh5TYwcKCNMOD933435DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--zokeefe.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: f33s4dm6uz3huy176f5dq5brymtgman9 X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: A59392001B X-Rspam-User: X-HE-Tag: 1666391595-125846 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Zach O'Keefe The initial commit of process_madvise(2) to Linux, commit ecb8ac8b1f14 ("mm/madvise: introduce process_madvise() syscall: an external memory hinting API"), relied on PTRACE_MODE_ATTACH_FSCREDS (see ptrace(2)), but was amended by commit 96cfe2c0fd23 ("mm/madvise: replace ptrace attach requirement for process_madvise") which replaced this with a combination of PTRACE_MODE_READ and CAP_SYS_NICE (PTRACE_MODE_READ to prevent leaking ASLR metadata and CAP_SYS_NICE for influencing process performance). The initial commit of process_madvise(2) to man-pages project, made after the second patch, included two errors: 1) CAP_SYS_ADMIN instead of CAP_SYS_NICE 2) PTRACE_MODE_READ_REALCREDS instead of PTRACE_MODE_READ_FSCREDS Correct this in the man-page for process_madvise(2). Fixes: a144f458b ("process_madvise.2: Document process_madvise(2)") Cc: Suren Baghdasaryan Cc: Minchan Kim Signed-off-by: Zach O'Keefe Reviewed-by: Suren Baghdasaryan --- man2/process_madvise.2 | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/man2/process_madvise.2 b/man2/process_madvise.2 index 6208206e4..44d3b94e8 100644 --- a/man2/process_madvise.2 +++ b/man2/process_madvise.2 @@ -105,16 +105,20 @@ remote process. No further elements will be processed beyond that point. (See the discussion regarding partial advice in RETURN VALUE.) .PP -Permission to apply advice to another process is governed by a +.\" commit 96cfe2c0fd23ea7c2368d14f769d287e7ae1082e +Starting in Linux 5.12, +permission to apply advice to another process is governed by ptrace access mode -.B PTRACE_MODE_READ_REALCREDS +.B PTRACE_MODE_READ_FSCREDS check (see .BR ptrace (2)); in addition, because of the performance implications of applying the advice, the caller must have the -.B CAP_SYS_ADMIN -capability. +.B CAP_SYS_NICE +capability +(see +.BR capabilities (7)). .SH RETURN VALUE On success, .BR process_madvise () @@ -180,6 +184,15 @@ configuration option. The .BR process_madvise () system call is Linux-specific. +.SH NOTES +When this system call first appeared in Linux 5.10, +permission to apply advice to another process was entirely governed by +ptrace access mode +.B PTRACE_MODE_ATTACH_FSCREDS +check (see +.BR ptrace (2)). +This requirement was relaxed in Linux 5.12 so that the caller didn't require +full control over the target process. .SH SEE ALSO .BR madvise (2), .BR pidfd_open (2),