From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DAA8DC02182
	for <linux-mm@archiver.kernel.org>; Thu, 23 Jan 2025 23:47:51 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 09411280023; Thu, 23 Jan 2025 18:47:51 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 043FE6B0099; Thu, 23 Jan 2025 18:47:50 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E4D5D280023; Thu, 23 Jan 2025 18:47:50 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id C6BD36B0098
	for <linux-mm@kvack.org>; Thu, 23 Jan 2025 18:47:50 -0500 (EST)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 516C8C08BF
	for <linux-mm@kvack.org>; Thu, 23 Jan 2025 23:47:50 +0000 (UTC)
X-FDA: 83040356700.09.EAB447F
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf29.hostedemail.com (Postfix) with ESMTP id 92990120010
	for <linux-mm@kvack.org>; Thu, 23 Jan 2025 23:47:48 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=uoM1KAGZ;
	spf=pass (imf29.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1737676068;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=ZRJtO8VKxyDPDqzHMru1xiHTavtHjPoz9mSu4dgzuDE=;
	b=pm75Vey1QpySG651W28VGvSAlHV7EkswJD2jQ3yPtBLqYCETNltIuD9d/TAxb8Dbml42Vh
	KeEgR2iyV/aM4PUeLmadpDJxAnPM7zsYJaQNx5jpM7ejLd7WPexJNJ2+1mvLlOV+anO90V
	YhdJ5uxN9miOnRlvGIA83f3t8HqW+5o=
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=uoM1KAGZ;
	spf=pass (imf29.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737676068; a=rsa-sha256;
	cv=none;
	b=z29nxhIPk511nByTMi823LFtJ6Z9dLEvnDmS99XgQHxXIYfXQ0FIG17nTdk8KYRDqmIM5p
	KAjATGKGapImWQ84OeY5HsU1gyjzeYtjnbG4NynD8PYolSt6M7DMiooktAV8JfDmBWwtn8
	f6bpW0t26gI3uXvK/WR9wtjNcIeHIEQ=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by dfw.source.kernel.org (Postfix) with ESMTP id 328C05C5BEA;
	Thu, 23 Jan 2025 23:47:07 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 29BCFC4CED3;
	Thu, 23 Jan 2025 23:47:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1737676067;
	bh=wraYd2NGwuEyzk8Cgc5yaLobelCCviWThCaaKkdHMu8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=uoM1KAGZIiefDfHgZDxyELPBM22hTQH1XyHU+IpjJAIv2QNNwCPYMVqdM+htvYa6w
	 d/Un2AKdgpKpInZhod29JdKJpafmOZ8d2d57cmMi1Akm2/cDrq5gmDCA3LgeTI3DUU
	 dDY7Lz42F4b4Md8af6BpBtGZQ+loK2dOPaBW/haDChHwnz2lrvR6Fels6V9xvTvTsw
	 CtGcpS4SVKObhi7BWGvmLIhQAXGXwAykmaj7bc4onqYX6qyotevurEzmT0FDC80Fgg
	 xlGnalQak8rVIzU7ViSZumFDib6h7XwqcElLIpitqYAGiiIRWbQzzhPA03Vg5ERZhC
	 dxgg1WiZJ0z0A==
Date: Thu, 23 Jan 2025 15:47:44 -0800
From: Kees Cook <kees@kernel.org>
To: Suren Baghdasaryan <surenb@google.com>
Cc: Andrii Nakryiko <andrii@kernel.org>, linux-mm@kvack.org,
	akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org,
	brauner@kernel.org, viro@zeniv.linux.org.uk,
	linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
	kernel-team@meta.com, rostedt@goodmis.org, peterz@infradead.org,
	mingo@kernel.org, linux-trace-kernel@vger.kernel.org,
	linux-perf-users@vger.kernel.org, shakeel.butt@linux.dev,
	rppt@kernel.org, liam.howlett@oracle.com,
	Jann Horn <jannh@google.com>, linux-security-module@vger.kernel.org
Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under
 CAP_PERFMON
Message-ID: <202501231526.A3C13EC5@keescook>
References: <20250123214342.4145818-1-andrii@kernel.org>
 <CAJuCfpE9QOo-xmDpk_FF=gs3p=9Zzb-Q5yDaKAEChBCnpogmQg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJuCfpE9QOo-xmDpk_FF=gs3p=9Zzb-Q5yDaKAEChBCnpogmQg@mail.gmail.com>
X-Rspamd-Queue-Id: 92990120010
X-Stat-Signature: arqywtzq9o48mhtng5ys8be9pd8uiko9
X-Rspamd-Server: rspam08
X-Rspam-User: 
X-HE-Tag: 1737676068-221815
X-HE-Meta: U2FsdGVkX1+8EnwDyRxNjsS9sAzzxElxdrAxX9cOqrLDilL2UfJCwj2p0lreNiO4a6hP7OQ9INwUGZof/lvmvw5aEteNncbwfiWSJWsmABac2pJlFmXMA6jWes+B4VBKCN+hJddSf8JexuSkkc+bm1/hW/lsswot4ksKdwBEtSKqaF1hRwA1FgdDdZIenemaDjhR5v5Avs3LemRSeDvMAaLeMXyAjyTGjmGNWYdi9ckEJ/BRCH6MRg83ls12tsHinGhcZqI57FqFch4PBTZVXk6z1LpeQN0AN5nqKIC0511BkinAAzrTQnHDZNlnu0Cei+qWOsboHU5AnYkbJfdHwGWKpuNwjTE3hh3QxSk+/AvnyC5zgkfr5bLi9KxDm4ZZDJpS10S0XlkinnxuxHSpaZSrg9/6et7sMN3zi/v5CQYsDmgujthKVwobto454hvquHH9mxDCIMIPH+XCu+PnYnI2U3oi1ujBwrozTeiZxOmhlKnG/NnSizNbDVXp+X8CK8gqdTfIj6ZusUw9TBR0FtCGBAP1ILN0uBrS/yF2YI8k8ZADR8Ei+IVJdRfYX4H9lvAFTzGlWFXZ0wnEIw9u73Dtk5IVGPLcpuN2SOu1tQ0+vYU4AB2ueptp1cqaRp22q0P1LzwBK4nRrzR80QQswnc7s/bYNvsQbrTAI4Avczx2K1ADdEB/HfPF1RQefLUvMcDv+DwMl8CfyNoFVAc+TP1wVleJbUrOm7W/xhivGF5vjIA0srBdQ0EOpheKGZpDs6faEBbYYg0YsqnqtTySVp1JOFe0IS4di3pX/Z2TK/w+ynNsbX3BDoA4UZ5r8MhFCJzWqCpdvbp0JIAn5etsz7CapQAqQZMA78wQOBwiGoVFASfcAxkSwNrIJaCYi7cDSHOZonT1Z0CMEonPv+lGOuHERA5xpHdBkTZpcTsggVDypWvgQjElMjTy79eKBZxHsJDaCC5EXqV06m7tdjb
 UL1XNBPf
 +2URYEhEkFjQ9gDWztX0rj95YHr1XRG1D4CblDQZnahdSsXXZl0qcPfEA2MMTBxGGChQfOY2ezjXdZENdTISDYR/+ucRrJTAPJLb+z6OeJByRp8xE/UsplRxdGUgb7AKzAiMSA3gw3tj+DhjshkCsGJLuvMv8mqIoIB+9bpVIrsISpcawSK3bUYCybzO9OhGvaWkN/B4wV61DgsHR2b81j3mAUzwB+vTRkWPP0ilPG0FbrnRoOk2T5xCPqm+qnLIY6WMGwxBGJeiOxzT/zYS66keObX2I9N7lbVav9FJPj7l5eTxrpJHZzGUTNdtZp7/gIPot9bjUATIPaokfgodkUFcmdebCrKr0Uz7S
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote:
> On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko <andrii@kernel.org> wrote:
> >
> > It's very common for various tracing and profiling toolis to need to
> > access /proc/PID/maps contents for stack symbolization needs to learn
> > which shared libraries are mapped in memory, at which file offset, etc.
> > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > are looking at data for our own process, which is a trivial case not too
> > relevant for profilers use cases).
> >
> > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > discover memory layout of another process: it allows to fully control
> > arbitrary other processes. This is problematic from security POV for
> > applications that only need read-only /proc/PID/maps (and other similar
> > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > is frowned upon even for the system-wide profilers.
> >
> > On the other hand, it's already possible to access similar kind of
> > information (and more) with just CAP_PERFMON capability. E.g., setting
> > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > similar information to what /proc/PID/maps provides.
> >
> > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > for system-wide profiling and observability application. As such, it's
> > reasonable and convenient to be able to access /proc/PID/maps with
> > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> >
> > For procfs, these permissions are checked through common mm_access()
> > helper, and so we augment that with cap_perfmon() check *only* if
> > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > permitted by CAP_PERFMON.
> >
> > Besides procfs itself, mm_access() is used by process_madvise() and
> > process_vm_{readv,writev}() syscalls. The former one uses
> > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > seems like a meaningful allowable capability as well.
> >
> > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > but that's outside the scope of this change), and as such won't be
> > affected by this patch.
> 
> CC'ing Jann and Kees.
> 
> >
> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > ---
> >  kernel/fork.c | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index ded49f18cd95..c57cb3ad9931 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task)
> >  }
> >  EXPORT_SYMBOL_GPL(get_task_mm);
> >
> > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
> > +{
> > +       if (mm == current->mm)
> > +               return true;
> > +       if ((mode & PTRACE_MODE_READ) && perfmon_capable())
> > +               return true;
> > +       return ptrace_may_access(task, mode);
> > +}

nit: "may" tends to be used more than "can" for access check function naming.

So, this will bypass security_ptrace_access_check() within
ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility
into.

It also bypasses the dumpability check in __ptrace_may_access(). (Should
non-dumpability block visibility into "maps" under CAP_PERFMON?)

This change provides read access for CAP_PERFMON to:

/proc/$pid/maps
/proc/$pid/smaps
/proc/$pid/mem
/proc/$pid/environ
/proc/$pid/auxv
/proc/$pid/attr/*
/proc/$pid/smaps_rollup
/proc/$pid/pagemap

/proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ
and auxv maybe too much also. The "attr" files seem iffy. pagemap may be
reasonable.

Gaining CAP_PERFMON access to *only* the "maps" file doesn't seem too
bad to me, but I think the proposed patch ends up providing way too wide
access to other things.

Also, this is doing an init-namespace capability check for
CAP_PERFMON (via perfmon_capable()). Shouldn't this be per-namespace?

-Kees

> > +
> >  struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> >  {
> >         struct mm_struct *mm;
> > @@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> >         mm = get_task_mm(task);
> >         if (!mm) {
> >                 mm = ERR_PTR(-ESRCH);
> > -       } else if (mm != current->mm && !ptrace_may_access(task, mode)) {
> > +       } else if (!can_access_mm(mm, task, mode)) {
> >                 mmput(mm);
> >                 mm = ERR_PTR(-EACCES);
> >         }
> > --
> > 2.43.5
> >

-- 
Kees Cook