On Tue 12-01-21 10:12:03, Suren Baghdasaryan wrote: > On Mon, Jan 11, 2021 at 11:46 PM Michal Hocko <mhocko@xxxxxxxx> wrote: > > > > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote: > > > process_madvise currently requires ptrace attach capability. > > > PTRACE_MODE_ATTACH gives one process complete control over another > > > process. It effectively removes the security boundary between the > > > two processes (in one direction). Granting ptrace attach capability > > > even to a system process is considered dangerous since it creates an > > > attack surface. This severely limits the usage of this API. > > > The operations process_madvise can perform do not affect the correctness > > > of the operation of the target process; they only affect where the data > > > is physically located (and therefore, how fast it can be accessed). > > > > Yes it doesn't influence the correctness but it is still a very > > sensitive operation because it can allow a targeted side channel timing > > attacks so we should be really careful. > > Sorry, I missed this comment in my answer. Possibility of affecting > the target's performance including side channel attack is why we > require CAP_SYS_NICE. OK. It would be really good to document that in the man page. From the current wording it seems we already rely on this cap for migration on a remote process which is not the same thing but it roughly falls into the similar category. -- Michal Hocko SUSE Labs
