On 11/12/23 05:52, Theodore Ts'o wrote: > On Sat, Nov 11, 2023 at 02:24:31PM +0100, Willy Tarreau wrote: >> Hello, >> >> On Sat, Nov 11, 2023 at 01:51:26PM +0100, York Jasper Niebuhr wrote: >> > Adds a system call to flag a process' resources to be cleared on >> > exit (or, in the case of memory, on free). Currently, only zeroing >> > memory is implemented. >> (...) >> >> IMHO it does not make sense to add a syscall for this, please have a >> look at prctl(2) instead, which is already used for similar settings. > > Another reason to use prctl() is there are other cases when you'd want > to zero a process's memory. For example, if the process gets killed > to some kind of signal, or when it gets OOM killed (where there is no > system call which forces the process to exit). Also, if you want to > zero memory when the process exits, you'd want to zero the process > memory on an exec(2). Probably also munmap() and maybe a number of other ways where the process can give up its memory voluntarily. Then there are also involuntary ways where the a copy of the data can end up leaking elsewhere than the pages the process has mapped - e.g. swapout/swapin of pages, page migration... So I'm not sure it's feasible to attempt making a whole process "sensitive" and close all the holes. Instead what we have is to mark specific areas as sensitive - things like mlock(), madvise(MADV_DONTDUMP / MADV_DONTFORK) and ultimately memfd_secret(). > Cheers, > > - Ted >
