From: Kees Cook <kees@kernel.org>
To: Suren Baghdasaryan <surenb@google.com>
Cc: Andrii Nakryiko <andrii@kernel.org>,
linux-mm@kvack.org, akpm@linux-foundation.org,
linux-fsdevel@vger.kernel.org, brauner@kernel.org,
viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, kernel-team@meta.com, rostedt@goodmis.org,
peterz@infradead.org, mingo@kernel.org,
linux-trace-kernel@vger.kernel.org,
linux-perf-users@vger.kernel.org, shakeel.butt@linux.dev,
rppt@kernel.org, liam.howlett@oracle.com,
Jann Horn <jannh@google.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON
Date: Thu, 23 Jan 2025 15:47:44 -0800 [thread overview]
Message-ID: <202501231526.A3C13EC5@keescook> (raw)
In-Reply-To: <CAJuCfpE9QOo-xmDpk_FF=gs3p=9Zzb-Q5yDaKAEChBCnpogmQg@mail.gmail.com>
On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote:
> On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko <andrii@kernel.org> wrote:
> >
> > It's very common for various tracing and profiling toolis to need to
> > access /proc/PID/maps contents for stack symbolization needs to learn
> > which shared libraries are mapped in memory, at which file offset, etc.
> > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > are looking at data for our own process, which is a trivial case not too
> > relevant for profilers use cases).
> >
> > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > discover memory layout of another process: it allows to fully control
> > arbitrary other processes. This is problematic from security POV for
> > applications that only need read-only /proc/PID/maps (and other similar
> > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > is frowned upon even for the system-wide profilers.
> >
> > On the other hand, it's already possible to access similar kind of
> > information (and more) with just CAP_PERFMON capability. E.g., setting
> > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > similar information to what /proc/PID/maps provides.
> >
> > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > for system-wide profiling and observability application. As such, it's
> > reasonable and convenient to be able to access /proc/PID/maps with
> > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> >
> > For procfs, these permissions are checked through common mm_access()
> > helper, and so we augment that with cap_perfmon() check *only* if
> > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > permitted by CAP_PERFMON.
> >
> > Besides procfs itself, mm_access() is used by process_madvise() and
> > process_vm_{readv,writev}() syscalls. The former one uses
> > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > seems like a meaningful allowable capability as well.
> >
> > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > but that's outside the scope of this change), and as such won't be
> > affected by this patch.
>
> CC'ing Jann and Kees.
>
> >
> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > ---
> > kernel/fork.c | 11 ++++++++++-
> > 1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index ded49f18cd95..c57cb3ad9931 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task)
> > }
> > EXPORT_SYMBOL_GPL(get_task_mm);
> >
> > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
> > +{
> > + if (mm == current->mm)
> > + return true;
> > + if ((mode & PTRACE_MODE_READ) && perfmon_capable())
> > + return true;
> > + return ptrace_may_access(task, mode);
> > +}
nit: "may" tends to be used more than "can" for access check function naming.
So, this will bypass security_ptrace_access_check() within
ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility
into.
It also bypasses the dumpability check in __ptrace_may_access(). (Should
non-dumpability block visibility into "maps" under CAP_PERFMON?)
This change provides read access for CAP_PERFMON to:
/proc/$pid/maps
/proc/$pid/smaps
/proc/$pid/mem
/proc/$pid/environ
/proc/$pid/auxv
/proc/$pid/attr/*
/proc/$pid/smaps_rollup
/proc/$pid/pagemap
/proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ
and auxv maybe too much also. The "attr" files seem iffy. pagemap may be
reasonable.
Gaining CAP_PERFMON access to *only* the "maps" file doesn't seem too
bad to me, but I think the proposed patch ends up providing way too wide
access to other things.
Also, this is doing an init-namespace capability check for
CAP_PERFMON (via perfmon_capable()). Shouldn't this be per-namespace?
-Kees
> > +
> > struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > {
> > struct mm_struct *mm;
> > @@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > mm = get_task_mm(task);
> > if (!mm) {
> > mm = ERR_PTR(-ESRCH);
> > - } else if (mm != current->mm && !ptrace_may_access(task, mode)) {
> > + } else if (!can_access_mm(mm, task, mode)) {
> > mmput(mm);
> > mm = ERR_PTR(-EACCES);
> > }
> > --
> > 2.43.5
> >
--
Kees Cook
next prev parent reply other threads:[~2025-01-23 23:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-23 21:43 Andrii Nakryiko
2025-01-23 21:52 ` Suren Baghdasaryan
2025-01-23 23:47 ` Kees Cook [this message]
2025-01-23 23:55 ` Jann Horn
2025-01-24 1:02 ` Andrii Nakryiko
2025-01-24 0:26 ` Shakeel Butt
2025-01-24 0:59 ` Andrii Nakryiko
2025-01-24 9:38 ` Christian Brauner
2025-01-24 9:45 ` Christian Brauner
2025-01-24 17:31 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202501231526.A3C13EC5@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=jannh@google.com \
--cc=kernel-team@meta.com \
--cc=liam.howlett@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=shakeel.butt@linux.dev \
--cc=surenb@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox