Skip to content

Commit

Permalink
mm, security: Add lsm hook for set_mempolicy_home_node(2)
Browse files Browse the repository at this point in the history
In container environment, we don't want users to bind their memory to a
specific numa node, while we want to unit control memory resource with
kubelet. Therefore, add a new lsm hook for set_mempolicy_home_node(2), then
we can enforce fine-grained control over memory policy adjustment by the
tasks in a container.

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
  • Loading branch information
laoar authored and intel-lab-lkp committed Nov 12, 2023
1 parent 7ebb483 commit 9dcbf34
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 0 deletions.
2 changes: 2 additions & 0 deletions include/linux/lsm_hook_defs.h
Original file line number Diff line number Diff line change
Expand Up @@ -425,3 +425,5 @@ LSM_HOOK(int, 0, mbind, unsigned long start, unsigned long len,
unsigned long maxnode, unsigned int flags)
LSM_HOOK(int, 0, set_mempolicy, int mode, const unsigned long __user *nmask,
unsigned long maxnode)
LSM_HOOK(int, 0, set_mempolicy_home_node, unsigned long start, unsigned long len,
unsigned long home_node, unsigned long flags)
8 changes: 8 additions & 0 deletions include/linux/security.h
Original file line number Diff line number Diff line change
Expand Up @@ -489,6 +489,8 @@ int security_mbind(unsigned long start, unsigned long len,
unsigned long maxnode, unsigned int flags);
int security_set_mempolicy(int mode, const unsigned long __user *nmask,
unsigned long maxnode);
int security_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node, unsigned long flags);
#else /* CONFIG_SECURITY */

static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
Expand Down Expand Up @@ -1413,6 +1415,12 @@ static inline int security_set_mempolicy(int mode, const unsigned long __user *n
{
return 0;
}

static inline int security_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node, unsigned long flags)
{
return 0;
}
#endif /* CONFIG_SECURITY */

#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
Expand Down
5 changes: 5 additions & 0 deletions mm/mempolicy.c
Original file line number Diff line number Diff line change
Expand Up @@ -1523,6 +1523,11 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
return -EINVAL;
if (end == start)
return 0;

err = security_set_mempolicy_home_node(start, len, home_node, flags);
if (err)
return err;

mmap_write_lock(mm);
prev = vma_prev(&vmi);
for_each_vma_range(vmi, vma, end) {
Expand Down
7 changes: 7 additions & 0 deletions security/security.c
Original file line number Diff line number Diff line change
Expand Up @@ -5349,3 +5349,10 @@ int security_set_mempolicy(int mode, const unsigned long __user *nmask, unsigned
{
return call_int_hook(set_mempolicy, 0, mode, nmask, maxnode);
}

int security_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node, unsigned long flags)
{

return call_int_hook(set_mempolicy_home_node, 0, start, len, home_node, flags);
}

0 comments on commit 9dcbf34

Please sign in to comment.