On Thu, Sep 9, 2021 at 2:57 AM Feng Zhou <zhoufeng.zf@xxxxxxxxxxxxx> wrote:
>
> Compared to the read interface, kcore mmap has no increased risk, just
> reduce context switching.
Yes, but the main worry is "do we really need to make this faster and easier"?
Because one of the possible main users is literally the black hat "I
got root, now I want to do a rootkit".
And mmap is very very different from read().
Why? Because using mmap() you can now track changes in realtime (ie
you poll waiting for some memory location to change, possibly even
with hardware assist - like watchpoints or ring3 "monitor/mwait").
So mmap() of the kernel memory literally acts as a prime tool for
looking at and exploiting races.
Which is why I'm _very_ leery of these kinds of interfaces.
Do they have possible good uses? Yes. But the bad uses seem to
actually dominate. The good users don't seem _that_ critical, while
the bad users would seem to absolutely love this interface.
See my argument?
This is basically a very dangerous interface. The fact that it is
read-only doesn't change that at all.
Linus
