Re: [patch 3/3] [PATCH] prctl: Add PR_SET_MM codes to set up mm_structentires v3

[KOSAKI Motohiro]

(12/12/11 4:58 PM), Cyrill Gorcunov wrote:
> On Mon, Dec 12, 2011 at 04:49:38PM -0500, KOSAKI Motohiro wrote:
> > Hi
> >
> > > When we restore a task we need to set up text, data and data
> > > heap sizes from userspace to the values a task had at
> > > checkpoint time. This patch adds auxilary prctl codes for that.
> > >
> > > While most of them have a statistical nature (their values
> > > are involved into calculation of /proc/<pid>/statm output)
> > > the start_brk and brk values are used to compute an allowed
> > > size of program data segment expansion. Which means an arbitrary
> > > changes of this values might be dangerous operation. So to restrict
> > > access the following requirements applied to prctl calls:
> > >
> > >    - The process has to have CAP_SYS_ADMIN capability granted.
> >
> > This is very dangerous feature and useless from regular admins.
>
> Except brk() call I don't see where it might be extremelly
> dangerous at moment but indeed it might become very dangerous
> once code grows. Still if evil minded person got CAP_SYS_ADMIN
> these prctls are least thing one should carry about.

I'm sorry, I misunderstood your code. Your code only allow to change
their own process attribute. So, it's enough harmless. Please ignore
my last mail.



> > Moreover, CAP_SYS_ADMIN has a pretty overweight meanings and
> > we can't disable it on practical. So, I have a question. Why
> > don't you make new capability for checkpoint?
>
> It's not a problem to introduce CAP_CHECKPOINT_RESTORE, but
> would it be accepted? I mean, are we fine with new capability
> introduction? If yes -- I'll add new one and rebase the patch.




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/