From: Qi Tang <tpluszz77@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>,
David Hildenbrand <david@kernel.org>,
Andrei Vagin <avagin@gmail.com>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Oleg Nesterov <oleg@redhat.com>,
linux-kernel@vger.kernel.org, Qi Tang <tpluszz77@gmail.com>
Subject: Re: [PATCH] prctl: require checkpoint_restore_ns_capable for PR_SET_MM_MAP
Date: Fri, 3 Apr 2026 11:54:44 +0800 [thread overview]
Message-ID: <20260403035444.19965-1-tpluszz77@gmail.com> (raw)
In-Reply-To: <20260402104712.111d87b0154260372595cadf@linux-foundation.org>
On Thu, Apr 2, 2026, Andrei Vagin wrote:
> A approach is to eliminate CAP_SYS_RESOURCE check but pass all
> new values in one bundle, which would allow the kernel to make
> more intensive test for sanity of values and same time allow us
> to support checkpoint/restore of user namespaces.
>
> The initial implementation of PR_SET_MM_MAP didn't have the
> capability check.
This clears up the history. The two paths have different
permission models by design, not by accident.
On Thu, Apr 2, 2026, Lorenzo Stoakes wrote:
> But if it's your process does it really matter? You can
> manipulate memory all over the place in your process...
I went back and checked each impact I claimed. The SELinux
execheap bypass does not work because file_map_prot_check()
still enforces PROCESS__EXECMEM on anonymous mappings
regardless of start_brk. The procfs paths use
access_remote_vm() which safely returns zero for unmapped
addresses. auxv only affects the process itself. So yes,
it doesn't really matter.
I should have verified these claims more carefully before
sending the patch. Lesson learned.
Please drop this patch.
That said, the man page still documents PR_SET_MM as requiring
CAP_SYS_RESOURCE, and the individual field path enforces it
while the MAP path does not. Might be worth a man-pages fix
or a code comment to make the intent explicit, but that's a
separate cleanup.
Thanks everyone for the thorough discussion.
Qi Tang
prev parent reply other threads:[~2026-04-03 3:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 11:13 [PATCH] prctl: require checkpoint_restore_ns_capable for PR_SET_MM_MAP Qi Tang
2026-04-02 12:57 ` Oleg Nesterov
2026-04-02 13:07 ` Lorenzo Stoakes (Oracle)
2026-04-02 13:13 ` Oleg Nesterov
2026-04-02 13:41 ` David Hildenbrand (Arm)
2026-04-02 13:06 ` Lorenzo Stoakes (Oracle)
2026-04-02 13:55 ` David Hildenbrand (Arm)
2026-04-02 14:05 ` David Hildenbrand (Arm)
2026-04-02 14:21 ` Lorenzo Stoakes (Oracle)
2026-04-02 14:27 ` David Hildenbrand (Arm)
2026-04-02 17:46 ` Andrei Vagin
2026-04-02 13:30 ` David Hildenbrand (Arm)
2026-04-02 13:51 ` Qi Tang
2026-04-02 17:47 ` Andrew Morton
2026-04-03 3:54 ` Qi Tang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403035444.19965-1-tpluszz77@gmail.com \
--to=tpluszz77@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@gmail.com \
--cc=david@kernel.org \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ljs@kernel.org \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox