In container environment, we don't want users to bind their memory to a
specific numa node, while we want to unit control memory resource with
kubelet. Therefore, add a new lsm hook for set_mempolicy(2), then we can
enforce fine-grained control over memory policy adjustment by the tasks in
a container.
Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
---
include/linux/lsm_hook_defs.h | 2 ++
include/linux/security.h | 8 ++++++++
mm/mempolicy.c | 4 ++++
security/security.c | 5 +++++
4 files changed, 19 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index b1b5e3a..725a03d 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -423,3 +423,5 @@
LSM_HOOK(int, 0, mbind, unsigned long start, unsigned long len,
unsigned long mode, const unsigned long __user *nmask,
unsigned long maxnode, unsigned int flags)
+LSM_HOOK(int, 0, set_mempolicy, int mode, const unsigned long __user *nmask,
+ unsigned long maxnode)
diff --git a/include/linux/security.h b/include/linux/security.h
index 9f87543..93c91b6a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -487,6 +487,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
int security_mbind(unsigned long start, unsigned long len,
unsigned long mode, const unsigned long __user *nmask,
unsigned long maxnode, unsigned int flags);
+int security_set_mempolicy(int mode, const unsigned long __user *nmask,
+ unsigned long maxnode);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1405,6 +1407,12 @@ static inline int security_mbind(unsigned long start, unsigned long len,
{
return 0;
}
+
+static inline int security_set_mempolicy(int mode, const unsigned long __user *nmask,
+ unsigned long maxnode)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 98a378c..0a76cd2 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1581,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
if (err)
return err;
+ err = security_set_mempolicy(mode, nmask, maxnode);
+ if (err)
+ return err;
+
return do_set_mempolicy(lmode, mode_flags, &nodes);
}
diff --git a/security/security.c b/security/security.c
index 425ec1c..79ae17d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5344,3 +5344,8 @@ int security_mbind(unsigned long start, unsigned long len,
{
return call_int_hook(mbind, 0, start, len, mode, nmask, maxnode, flags);
}
+
+int security_set_mempolicy(int mode, const unsigned long __user *nmask, unsigned long maxnode)
+{
+ return call_int_hook(set_mempolicy, 0, mode, nmask, maxnode);
+}
--
1.8.3.1
