In a containerized environment, independent memory binding by a user can
lead to unexpected system issues or disrupt tasks being run by other users
on the same server. If a user genuinely requires memory binding, we will
allocate dedicated servers to them by leveraging kubelet deployment.
At present, users have the capability to bind their memory to a specific
node without explicit agreement or authorization from us. Consequently, a
new LSM hook is introduced to mitigate this. This implementation allows us
to exercise fine-grained control over memory policy adjustments within our
container environment
Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
---
include/linux/lsm_hook_defs.h | 3 +++
include/linux/security.h | 9 +++++++++
mm/mempolicy.c | 8 ++++++++
security/security.c | 13 +++++++++++++
4 files changed, 33 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index ff217a5ce552..558012719f98 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -419,3 +419,6 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void)
LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */
+
+LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags,
+ nodemask_t *nmask, unsigned int flags)
diff --git a/include/linux/security.h b/include/linux/security.h
index 1d1df326c881..cc4a19a0888c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -484,6 +484,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
+ nodemask_t *nmask, unsigned int flags);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
+
+static inline int
+security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
+ nodemask_t *nmask, unsigned int flags)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 1eafe81d782e..9a260dd24a4b 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1495,6 +1495,10 @@ static long kernel_mbind(unsigned long start, unsigned long len,
if (err)
return err;
+ err = security_set_mempolicy(lmode, mode_flags, &nodes, flags);
+ if (err)
+ return err;
+
return do_mbind(start, len, lmode, mode_flags, &nodes, flags);
}
@@ -1589,6 +1593,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
if (err)
return err;
+ err = security_set_mempolicy(lmode, mode_flags, &nodes, 0);
+ if (err)
+ return err;
+
return do_set_mempolicy(lmode, mode_flags, &nodes);
}
diff --git a/security/security.c b/security/security.c
index dcb3e7014f9b..685ad7993753 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
return call_int_hook(uring_cmd, 0, ioucmd);
}
#endif /* CONFIG_IO_URING */
+
+/**
+ * security_set_mempolicy() - Check if memory policy can be adjusted
+ * @mode: The memory policy mode to be set
+ * @mode_flags: optional mode flags
+ * @nmask: modemask to which the mode applies
+ * @flags: mode flags for mbind(2) only
+ */
+int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
+ nodemask_t *nmask, unsigned int flags)
+{
+ return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags);
+}
--
2.30.1 (Apple Git-130)
