From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AF97C02181 for ; Fri, 24 Jan 2025 09:39:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A5E36280055; Fri, 24 Jan 2025 04:39:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A0D3B280053; Fri, 24 Jan 2025 04:39:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8FBE2280055; Fri, 24 Jan 2025 04:39:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 73225280053 for ; Fri, 24 Jan 2025 04:39:00 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 2F3AE1A10F6 for ; Fri, 24 Jan 2025 09:39:00 +0000 (UTC) X-FDA: 83041846440.14.35D30B5 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf04.hostedemail.com (Postfix) with ESMTP id 8167340011 for ; Fri, 24 Jan 2025 09:38:58 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ayliuE46; spf=pass (imf04.hostedemail.com: domain of brauner@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737711538; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=YyGxrz8/b4hfJcC71l2MP0a/PDwe6Kxl69CN+NiYnWg=; b=s7cxZp9SniEV0GXkLh9KqBqvonOD+6gYeyRaOmQS2C8ej36hdhArH43i62Ij5ENUUk+zzM vo5cTNUXyWTIQBNOX3hDLg1OPVednvB56Hi0b9noEUjdU5jzenlQo0/ZIgLJmwB8/v1YHc w+nU1KWlunMNaseN/UJ4F/TqlWEAMnM= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737711538; a=rsa-sha256; cv=none; b=UN6mliRUa01yydvTwwv6kAFsaXGy/YmndLeggggePoeAqL+spj+AxywAMpz5vnbG/gResr TDMBk6BZkdc+81SJAA963v+NRpMgl7S7Z1iPfnQIiWOaGrG2yJArPlnKgpHpAxdyT3Hs6W Ff1woZWWzd4X4wU6kaVXa5yiCj9aydE= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ayliuE46; spf=pass (imf04.hostedemail.com: domain of brauner@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 18AE85C5CFA; Fri, 24 Jan 2025 09:38:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 457A3C4CED2; Fri, 24 Jan 2025 09:38:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1737711537; bh=w44kYJhywS4/lsXTR5UrbeYOFe3r10lL99Jo0jLdLfo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ayliuE46c+pkA4cw/TgHsouqsiEEftspfVob2Dh8Wegh2NNJYvDxDdtPFFGPCk1SL wVz11BKwjOmQosW5Wiuu9R1o3TjWJr0wJzKw3yXcKAfDIn7AXvUqd0xA7hBA3xkmB1 elwLMw5LFGUT1J3V+wEP9YSG6JC026hgc+mxvGqMhh7VAKlx+G9zArV2z/9aGMNgC5 /LpuJgfjXXybVjwXzMcNn3T2HEK8YLRRQdYFVfkQAbg0F6EK0cin0cRyIMO84/MweJ uFmXVnjrznA+vcqwwKQ9HkhflSfy9CewFL1iCe7pN8V2soL1uANnpB1ewIglfqLK4I gUbupDqLGAarQ== Date: Fri, 24 Jan 2025 10:38:49 +0100 From: Christian Brauner To: Andrii Nakryiko Cc: Kees Cook , Suren Baghdasaryan , Andrii Nakryiko , linux-mm@kvack.org, akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kernel-team@meta.com, rostedt@goodmis.org, peterz@infradead.org, mingo@kernel.org, linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, shakeel.butt@linux.dev, rppt@kernel.org, liam.howlett@oracle.com, Jann Horn , linux-security-module@vger.kernel.org Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON Message-ID: <20250124-hermachen-truthahn-f0ba886b6ae7@brauner> References: <20250123214342.4145818-1-andrii@kernel.org> <202501231526.A3C13EC5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Stat-Signature: ookrw38b7zzzkze9d6oh777sy6gpcg81 X-Rspamd-Queue-Id: 8167340011 X-Rspam-User: X-Rspamd-Server: rspam06 X-HE-Tag: 1737711538-451320 X-HE-Meta: U2FsdGVkX1+9pJa6WXl00MzN0d6BOIYBOJlNGJO+sRO0U0CR5tg8aKNjb+Np8/Z9xij4PhEAqSwv2VSBVNKiL0B5+oJUZd1QC7rNVh2vllpPrv2njLMRZCEX9D36xbwpq5z7VHffFMcY9C9X6uXvc01V1a0N5v88Ccb/V7N/F08KRNMVBmj7Dmj4NZ/lVoXkTqvoq0++eD0CwjEd5S/66Ay9ac8ZYV7O/dfupmSN+wVUeyXBXitX/okHMsrGUGESBKDHclTQp+WAtI3LKLfnbwqPYTvNexNCAWGaEwlARpLopQFfIfAV+J+tJrl6oKIywuQupLUyCLYFZKkijiBmRLn0rjdLlHzF2eA6Djuhhf0simVt47+RONeqU4njAsXbOuRnolf6D8chH7wqs6YPa/Kb4SGY605SU1N1gP4VC+/RQjl1On63hG0qroEJFM7UMcPpxfEP47V9eNH5E3/zeL4FvGyhe/CHwZQkRoI3g7X3qd/BHoRb1ROxNCnoRncUUJdFI6gk3oDA8zpJeRe6qZm3Mq99TxAcQS8XnaNsOgHcXNkqPRImCDpkLSvET9cwce9Shq1n42TQDmMJBr7aVNiqyEhsB3Pm+QobBhIpHdqVrY0Jfolx06mr1/vQeqg+/sENSm/UI1S+w4X3oTXxBggkjBar0aRbtWVz3stWmq2so8q0VbVPYi56e4i8dQM08GzsWUA8YOuuYNCw2DUda5CBUROeyR6gquF2PjpGqY5oEdoS6r+bvXHrQNytW6j0RIPMDlHoiXL+pNezRyeExBVn7WkyChlZZECXA+RE0QEIsfp/SpzJa9coh6LXN/9ATg8K0O5iYM5u3Jg7DPtlKNSCkd73IXphh/LttZSZv8kTUMDlC9jRb8IYouInwQnzxLslcqLpJaucsQupd1A9xwbnlgpcvcbOjCgNA2eFx8HKcMwClFtgamD92L1a2c1bezpeg5ZFos2MHGIwSnm D2D4NF6x Tjx7YiDwtwS6Nio9yfGUrECmOOwZ0eR8j49hjusg532ImHXKoGxnNHL50dM7hUnhNkPbTAPSwC3E7FwvVawzLRn/r1osJf9jbPJNPacrSVvyxemX088JJ3QwQwDLHZxaPudeZoc+HPAfbMNNnA6zJXnvkbb9vOeinzu6TxAbMwliyvrvVRXv5/HHNFPflrFqSe5KI1W27pHv4/LsDz8EpKL9E+gi3Q3y5QGUTJNFv4KPhQxdwNzLLy/fC2fVn3g9AgJi85zBH2MHjYabhnZiMu90loGDyG432f56gRFvBVMe0q/poPGgCE69e0n5MbgIMfy0XINDN+kZYituvJC4LAJKhMjy3/JWDzrHQ8dEaFTtP4PNv8HrC7DvRK5jDnYQIP/UeDovFZaCrAPbpDkXAptHFS6j1LjdOqUPoKZL0MKgO9oMTrK52U9PQ+EgqQpsyfvbitHYlaFhQ1UIUJXmB/b/Jmw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 23, 2025 at 04:59:38PM -0800, Andrii Nakryiko wrote: > On Thu, Jan 23, 2025 at 3:47 PM Kees Cook wrote: > > > > On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote: > > > On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko wrote: > > > > > > > > It's very common for various tracing and profiling toolis to need to > > > > access /proc/PID/maps contents for stack symbolization needs to learn > > > > which shared libraries are mapped in memory, at which file offset, etc. > > > > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > > > > are looking at data for our own process, which is a trivial case not too > > > > relevant for profilers use cases). > > > > > > > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > > > > discover memory layout of another process: it allows to fully control > > > > arbitrary other processes. This is problematic from security POV for > > > > applications that only need read-only /proc/PID/maps (and other similar > > > > read-only data) access, and in large production settings CAP_SYS_PTRACE > > > > is frowned upon even for the system-wide profilers. > > > > > > > > On the other hand, it's already possible to access similar kind of > > > > information (and more) with just CAP_PERFMON capability. E.g., setting > > > > up PERF_RECORD_MMAP collection through perf_event_open() would give one > > > > similar information to what /proc/PID/maps provides. > > > > > > > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > > > > for system-wide profiling and observability application. As such, it's > > > > reasonable and convenient to be able to access /proc/PID/maps with > > > > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > > > > > > > For procfs, these permissions are checked through common mm_access() > > > > helper, and so we augment that with cap_perfmon() check *only* if > > > > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > > > > permitted by CAP_PERFMON. > > > > > > > > Besides procfs itself, mm_access() is used by process_madvise() and > > > > process_vm_{readv,writev}() syscalls. The former one uses > > > > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > > > > seems like a meaningful allowable capability as well. > > > > > > > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > > > > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > > > > but that's outside the scope of this change), and as such won't be > > > > affected by this patch. > > > > > > CC'ing Jann and Kees. > > > > > > > > > > > Signed-off-by: Andrii Nakryiko > > > > --- > > > > kernel/fork.c | 11 ++++++++++- > > > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/kernel/fork.c b/kernel/fork.c > > > > index ded49f18cd95..c57cb3ad9931 100644 > > > > --- a/kernel/fork.c > > > > +++ b/kernel/fork.c > > > > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task) > > > > } > > > > EXPORT_SYMBOL_GPL(get_task_mm); > > > > > > > > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode) > > > > +{ > > > > + if (mm == current->mm) > > > > + return true; > > > > + if ((mode & PTRACE_MODE_READ) && perfmon_capable()) > > > > + return true; > > > > + return ptrace_may_access(task, mode); > > > > +} > > > > nit: "may" tends to be used more than "can" for access check function naming. > > good point, will change to "may" > > > > > So, this will bypass security_ptrace_access_check() within > > ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility > > into. > > yeah, similar to perf's perf_check_permission() (though, admittedly, > perf has its own security_perf_event_open(&attr, PERF_SECURITY_OPEN) > check much earlier in perf_event_open() logic) > > > > > It also bypasses the dumpability check in __ptrace_may_access(). (Should > > non-dumpability block visibility into "maps" under CAP_PERFMON?) > > With perf_event_open() and PERF_RECORD_MMAP none of this dumpability > is honored today as well, so I think CAP_PERFMON should override all > these ptrace things here, no? > > > > > This change provides read access for CAP_PERFMON to: > > > > /proc/$pid/maps > > /proc/$pid/smaps > > /proc/$pid/mem > > /proc/$pid/environ > > /proc/$pid/auxv > > /proc/$pid/attr/* > > /proc/$pid/smaps_rollup > > /proc/$pid/pagemap > > > > /proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ > > and auxv maybe too much also. The "attr" files seem iffy. pagemap may be > > reasonable. > > As Shakeel pointed out, /proc/PID/mem is PTRACE_MODE_ATTACH, so won't > be permitted under CAP_PERFMON either. > > Don't really know what auxv is, but I could read all that with BPF if > I had CAP_PERFMON, for any task, so not like we are opening up new > possibilities here. > > > > > Gaining CAP_PERFMON access to *only* the "maps" file doesn't seem too > > bad to me, but I think the proposed patch ends up providing way too wide > > access to other things. > > I do care about maps mostly, yes, but I also wanted to avoid > duplicating all that mm_access() logic just for maps (and probably > smaps, they are the same data). But again, CAP_PERFMON basically means > read-only tracing access to anything within kernel and any user > process, so it felt appropriate to allow CAP_PERFMON here. > > > > > Also, this is doing an init-namespace capability check for > > CAP_PERFMON (via perfmon_capable()). Shouldn't this be per-namespace? > > CAP_PERFMON isn't namespaced as far as perf_event_open() is concerned, > so at least for that reason I don't want to relax the requirement > here. Namespacing CAP_PERFMON in general is interesting and I bet > there are users that would appreciate that, but that's an entire epic > journey we probably don't want to start here. Agreed.