On 12/8/2023 1:06 AM, Yafang Shao wrote:
> In a containerized environment, independent memory binding by a user can
> lead to unexpected system issues or disrupt tasks being run by other users
> on the same server. If a user genuinely requires memory binding, we will
> allocate dedicated servers to them by leveraging kubelet deployment.
>
> At present, users have the capability to bind their memory to a specific
> node without explicit agreement or authorization from us. Consequently, a
> new LSM hook is introduced to mitigate this. This implementation allows us
> to exercise fine-grained control over memory policy adjustments within our
> container environment
I wonder if security_vm_enough_memory() ought to be reimplemented as
an option to security_set_mempolicy(). I'm not convinced either way,
but I can argue both.
> Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
> ---
> include/linux/lsm_hook_defs.h | 3 +++
> include/linux/security.h | 9 +++++++++
> mm/mempolicy.c | 8 ++++++++
> security/security.c | 13 +++++++++++++
> 4 files changed, 33 insertions(+)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index ff217a5..5580127 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -419,3 +419,6 @@
> LSM_HOOK(int, 0, uring_sqpoll, void)
> LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
> #endif /* CONFIG_IO_URING */
> +
> +LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags,
> + nodemask_t *nmask, unsigned int flags)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 1d1df326..cc4a19a 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -484,6 +484,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
> int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> int security_locked_down(enum lockdown_reason what);
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> + nodemask_t *nmask, unsigned int flags);
> #else /* CONFIG_SECURITY */
>
> static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what)
> {
> return 0;
> }
> +
> +static inline int
> +security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> + nodemask_t *nmask, unsigned int flags)
> +{
> + return 0;
> +}
> #endif /* CONFIG_SECURITY */
>
> #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 10a590e..9535d9e 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1483,6 +1483,10 @@ static long kernel_mbind(unsigned long start, unsigned long len,
> if (err)
> return err;
>
> + err = security_set_mempolicy(lmode, mode_flags, &nodes, flags);
> + if (err)
> + return err;
> +
> return do_mbind(start, len, lmode, mode_flags, &nodes, flags);
> }
>
> @@ -1577,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
> if (err)
> return err;
>
> + err = security_set_mempolicy(lmode, mode_flags, &nodes, 0);
> + if (err)
> + return err;
> +
> return do_set_mempolicy(lmode, mode_flags, &nodes);
> }
>
> diff --git a/security/security.c b/security/security.c
> index dcb3e70..685ad79 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
> return call_int_hook(uring_cmd, 0, ioucmd);
> }
> #endif /* CONFIG_IO_URING */
> +
> +/**
> + * security_set_mempolicy() - Check if memory policy can be adjusted
> + * @mode: The memory policy mode to be set
> + * @mode_flags: optional mode flags
> + * @nmask: modemask to which the mode applies
> + * @flags: mode flags for mbind(2) only
> + */
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> + nodemask_t *nmask, unsigned int flags)
> +{
> + return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags);
> +}
