| Message ID | 20231208090622.4309-4-laoar.shao@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | mm, security, bpf: Fine-grained control over memory policy adjustments with lsm bpf | expand |
On 12/8/2023 1:06 AM, Yafang Shao wrote: > In a containerized environment, independent memory binding by a user can > lead to unexpected system issues or disrupt tasks being run by other users > on the same server. If a user genuinely requires memory binding, we will > allocate dedicated servers to them by leveraging kubelet deployment. > > At present, users have the capability to bind their memory to a specific > node without explicit agreement or authorization from us. Consequently, a > new LSM hook is introduced to mitigate this. This implementation allows us > to exercise fine-grained control over memory policy adjustments within our > container environment I wonder if security_vm_enough_memory() ought to be reimplemented as an option to security_set_mempolicy(). I'm not convinced either way, but I can argue both. > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > --- > include/linux/lsm_hook_defs.h | 3 +++ > include/linux/security.h | 9 +++++++++ > mm/mempolicy.c | 8 ++++++++ > security/security.c | 13 +++++++++++++ > 4 files changed, 33 insertions(+) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index ff217a5..5580127 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -419,3 +419,6 @@ > LSM_HOOK(int, 0, uring_sqpoll, void) > LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) > #endif /* CONFIG_IO_URING */ > + > +LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags, > + nodemask_t *nmask, unsigned int flags) > diff --git a/include/linux/security.h b/include/linux/security.h > index 1d1df326..cc4a19a 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -484,6 +484,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, > int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); > int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); > int security_locked_down(enum lockdown_reason what); > +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags, > + nodemask_t *nmask, unsigned int flags); > #else /* CONFIG_SECURITY */ > > static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) > @@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what) > { > return 0; > } > + > +static inline int > +security_set_mempolicy(unsigned long mode, unsigned short mode_flags, > + nodemask_t *nmask, unsigned int flags) > +{ > + return 0; > +} > #endif /* CONFIG_SECURITY */ > > #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) > diff --git a/mm/mempolicy.c b/mm/mempolicy.c > index 10a590e..9535d9e 100644 > --- a/mm/mempolicy.c > +++ b/mm/mempolicy.c > @@ -1483,6 +1483,10 @@ static long kernel_mbind(unsigned long start, unsigned long len, > if (err) > return err; > > + err = security_set_mempolicy(lmode, mode_flags, &nodes, flags); > + if (err) > + return err; > + > return do_mbind(start, len, lmode, mode_flags, &nodes, flags); > } > > @@ -1577,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask, > if (err) > return err; > > + err = security_set_mempolicy(lmode, mode_flags, &nodes, 0); > + if (err) > + return err; > + > return do_set_mempolicy(lmode, mode_flags, &nodes); > } > > diff --git a/security/security.c b/security/security.c > index dcb3e70..685ad79 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) > return call_int_hook(uring_cmd, 0, ioucmd); > } > #endif /* CONFIG_IO_URING */ > + > +/** > + * security_set_mempolicy() - Check if memory policy can be adjusted > + * @mode: The memory policy mode to be set > + * @mode_flags: optional mode flags > + * @nmask: modemask to which the mode applies > + * @flags: mode flags for mbind(2) only > + */ > +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags, > + nodemask_t *nmask, unsigned int flags) > +{ > + return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags); > +}
On Sat, Dec 9, 2023 at 1:30 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 12/8/2023 1:06 AM, Yafang Shao wrote: > > In a containerized environment, independent memory binding by a user can > > lead to unexpected system issues or disrupt tasks being run by other users > > on the same server. If a user genuinely requires memory binding, we will > > allocate dedicated servers to them by leveraging kubelet deployment. > > > > At present, users have the capability to bind their memory to a specific > > node without explicit agreement or authorization from us. Consequently, a > > new LSM hook is introduced to mitigate this. This implementation allows us > > to exercise fine-grained control over memory policy adjustments within our > > container environment > > I wonder if security_vm_enough_memory() ought to be reimplemented as > an option to security_set_mempolicy(). I'm not convinced either way, > but I can argue both. The function security_vm_enough_memory() serves to verify the permissibility of a new memory map, while security_set_mempolicy() comes into play post-memory map allocation. Expanding security_vm_enough_memory() to include memory policy checks might potentially lead to regressions. Therefore, I would prefer to introduce a new function, security_set_mempolicy(), to handle these checks separately.
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ff217a5..5580127 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -419,3 +419,6 @@ LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ + +LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags, + nodemask_t *nmask, unsigned int flags) diff --git a/include/linux/security.h b/include/linux/security.h index 1d1df326..cc4a19a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -484,6 +484,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags, + nodemask_t *nmask, unsigned int flags); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what) { return 0; } + +static inline int +security_set_mempolicy(unsigned long mode, unsigned short mode_flags, + nodemask_t *nmask, unsigned int flags) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 10a590e..9535d9e 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1483,6 +1483,10 @@ static long kernel_mbind(unsigned long start, unsigned long len, if (err) return err; + err = security_set_mempolicy(lmode, mode_flags, &nodes, flags); + if (err) + return err; + return do_mbind(start, len, lmode, mode_flags, &nodes, flags); } @@ -1577,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask, if (err) return err; + err = security_set_mempolicy(lmode, mode_flags, &nodes, 0); + if (err) + return err; + return do_set_mempolicy(lmode, mode_flags, &nodes); } diff --git a/security/security.c b/security/security.c index dcb3e70..685ad79 100644 --- a/security/security.c +++ b/security/security.c @@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) return call_int_hook(uring_cmd, 0, ioucmd); } #endif /* CONFIG_IO_URING */ + +/** + * security_set_mempolicy() - Check if memory policy can be adjusted + * @mode: The memory policy mode to be set + * @mode_flags: optional mode flags + * @nmask: modemask to which the mode applies + * @flags: mode flags for mbind(2) only + */ +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags, + nodemask_t *nmask, unsigned int flags) +{ + return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags); +}
In a containerized environment, independent memory binding by a user can lead to unexpected system issues or disrupt tasks being run by other users on the same server. If a user genuinely requires memory binding, we will allocate dedicated servers to them by leveraging kubelet deployment. At present, users have the capability to bind their memory to a specific node without explicit agreement or authorization from us. Consequently, a new LSM hook is introduced to mitigate this. This implementation allows us to exercise fine-grained control over memory policy adjustments within our container environment Signed-off-by: Yafang Shao <laoar.shao@gmail.com> --- include/linux/lsm_hook_defs.h | 3 +++ include/linux/security.h | 9 +++++++++ mm/mempolicy.c | 8 ++++++++ security/security.c | 13 +++++++++++++ 4 files changed, 33 insertions(+)