From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42B9AC0218B for ; Fri, 24 Jan 2025 09:46:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B4AAD280057; Fri, 24 Jan 2025 04:45:59 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AD349280056; Fri, 24 Jan 2025 04:45:59 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9748B280057; Fri, 24 Jan 2025 04:45:59 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 7753A280056 for ; Fri, 24 Jan 2025 04:45:59 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id CDD27C1025 for ; Fri, 24 Jan 2025 09:45:58 +0000 (UTC) X-FDA: 83041863996.21.692D3C2 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf12.hostedemail.com (Postfix) with ESMTP id 3ACE240005 for ; Fri, 24 Jan 2025 09:45:57 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=r5sDAFyt; spf=pass (imf12.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737711957; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sBwIs4Eu6TA4z/G9sSZ0FiQS/jD42eEs1vAklpdCzy4=; b=4DPlFnaUsidnGfNooDXkxPQtBXx8CCNYUU9voSAzznqUIuLdMTdswlXMJjZXqIpP6QXmiS 637bFLgtS5qNQF/HHZowhfg7bziUdUVrC59ke2RJO8PXnWs/Id7PCE5+kmvWwRnnzHVry0 BD78rUouuBfPy1QQuRZxq0mdmPs93/o= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=r5sDAFyt; spf=pass (imf12.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737711957; a=rsa-sha256; cv=none; b=NP0uM0nq8I+Fcfg2GhnX1dTI8PYyj+GFC1IEsK7Jq91rZ01zBYLEJ8eMrSzR/Ty0u/PHVG yn1dUl4Bt/jmo818WiTqgyc1tUkNs8cv51uSrjmUS8QbBFgp9bGkLR3T03/E8PclWjEotK 3QLfxO3g2q/Hv3ffgPBaZsYmWzo9zPE= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 19533A411BD; Fri, 24 Jan 2025 09:44:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4B960C4CED2; Fri, 24 Jan 2025 09:45:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1737711956; bh=eB2zDntAjt8L+m9HIlRkkULjJqOEs9/jE8oisXlLBWU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=r5sDAFytysFAd08xigMIdNSQaON3PfDxZ9tc2l98pwn0W46Ey2NIYkhf0+iCBAHls 1+on1E+DvhXwG4zDqHZUhtELbONQvdPAIWLAgT4ke458UWqPtrerWhznFTx6LmtEcn ZByXndeHa8U9otquiYrS+xKHlt6wgIs6yLqefkaa5acZpR8OejesrGUtZRjgCL3hGf BVnePg8OtowoCgFrP8cGL7+qi+ugAKLi7RS3UW+xRArwnq1y4xu3En9+PwD/gIOPht 3cJh1+WuLGlR+d34M7Gsp5/oDDSJDkJIpwgpuyZKbrOaiDPbArRMfQqNumuRYPLpKM jO3u/iaJNGQwg== Date: Fri, 24 Jan 2025 10:45:48 +0100 From: Christian Brauner To: Andrii Nakryiko Cc: linux-mm@kvack.org, akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kernel-team@meta.com, rostedt@goodmis.org, peterz@infradead.org, mingo@kernel.org, linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, shakeel.butt@linux.dev, rppt@kernel.org, liam.howlett@oracle.com, surenb@google.com Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON Message-ID: <20250124-zander-restaurant-7583fe1634b9@brauner> References: <20250123214342.4145818-1-andrii@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20250123214342.4145818-1-andrii@kernel.org> X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 3ACE240005 X-Stat-Signature: cw11degodaketqiipnyah9k7oo5dmstw X-Rspam-User: X-HE-Tag: 1737711957-9883 X-HE-Meta: U2FsdGVkX1/QiGSwvTGWHqNv8k8TCOUpPzbszdVUFc13J+v0q2Iprb2Ji3vKrc3O+hNVtdTsY9ZE9qq4kTcHJcG0GOt0PTksh2oT2wU/v0ubTmbeSoF7ypPPbdiI6LjBXiPXrqWxRKzH1qMpSUtFqULIUydQK2JtoraPXdOKMCFZElHmhcx/GSZoA8sz268sC0UCkPBkP7y6KMB/fe7d3STyJql9rkZuczYRg+Ace5yJj2cq4tvTw27hYPavl3kPWZ9mpl1WTHIcLrT9pjyN9gt8rU8SvGc80qETJ0f5+fXXjbss+B2lAqdPBnZSGI26MwFHxIhLpIH6JwLOqCKs/8eic89I428YV5uS9IyLH2x2dT9p2/x5IsCwxx96gteYaonvC8xEm6xefn4R6lv4wOiiy3sdbm8Mg7Rz5aMcyIJLW5HIYwLG1gDnP52BQDXsNTJ99u+K427YNUNKhwWTTq05HJBifaNayOKqd/HthD1bNuz5zkSN37uWq2Z0t6fHR8COc5u/QwKWXvi25tOWvT23UO7Ue9LaXkF8IxbPs9mqx0UnAH77I02pCqce6/fvOcr73zsOj70Se6G450ZE7iSfvGX5b3zoEUNwRS/em7baTUoziyw/xNoWqUX0rsJfYf2KmYiRNEYNaOt5zmgmVz8U4BtPxAQFm1tWASjD+eC/Iq4a0+/tjazs39qqP8oALTvfFOTAKtmcZhgNNp4UO1NfAJM0VacngcsLR40nrMrmVQpoZ2WXN2w6kyWYivPZ3Xa4U4Ege3dtrP2L3Sj6KFqvKNcI+r5YvJOI4VDlM6+RLqV63MAbG8S3afvPK5FNG2tTV+s+L1C+GHlmTLr5NuW8Ks7uyIsNk5lDc7QF0DsvTjrETjf+ChTbIS1M9tXMoPNrPYYzKmtMdjlE8EAuei3et/qr2G3xd2t5IMQqDUNqkVoUBM4R2b7eBa1j92oKGU/xbAksYZo7AnkGfJ2 eNwRGHxi 2thT5YpNRPsgt8NnPLami8XrwzUYxrHx2nrvKyr0IuPRItJHTWRnD+FyYxJhEYON9jVZ1WcL7X5g9CdgZam+ij4qXjtIREseGBtz6bHtSqoW8W+xt9pVGGt2i5lvWZPxbKYbln0leo2bEThm3txAgV00OGgnDTIAUY7ZuchecT8PFAOtYSStIlVHEEXQ9XuISYHxY38GYh1jj19B/+A+Wdn5LmiQLzXy4SMCbrKKjqnDpP/uLYrAzZCQDfKDzudePDtcSinKawYX8t6P8jNFMyCmKdA9/5X5ZxQKpGjbvMv/qRpx6CnQ0L1a9GqFfQIcK/cgx6biIVXOVVCsB2VRfOVFN7CI6SeFOBZ0X8a6jji2O8XCXEFHJ/a6i3Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 23, 2025 at 01:43:42PM -0800, Andrii Nakryiko wrote: > It's very common for various tracing and profiling toolis to need to > access /proc/PID/maps contents for stack symbolization needs to learn > which shared libraries are mapped in memory, at which file offset, etc. > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > are looking at data for our own process, which is a trivial case not too > relevant for profilers use cases). > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > discover memory layout of another process: it allows to fully control > arbitrary other processes. This is problematic from security POV for > applications that only need read-only /proc/PID/maps (and other similar > read-only data) access, and in large production settings CAP_SYS_PTRACE > is frowned upon even for the system-wide profilers. > > On the other hand, it's already possible to access similar kind of > information (and more) with just CAP_PERFMON capability. E.g., setting > up PERF_RECORD_MMAP collection through perf_event_open() would give one > similar information to what /proc/PID/maps provides. > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > for system-wide profiling and observability application. As such, it's > reasonable and convenient to be able to access /proc/PID/maps with > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > For procfs, these permissions are checked through common mm_access() > helper, and so we augment that with cap_perfmon() check *only* if > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > permitted by CAP_PERFMON. > > Besides procfs itself, mm_access() is used by process_madvise() and > process_vm_{readv,writev}() syscalls. The former one uses > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > seems like a meaningful allowable capability as well. > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > but that's outside the scope of this change), and as such won't be > affected by this patch. > > Signed-off-by: Andrii Nakryiko > --- > kernel/fork.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/kernel/fork.c b/kernel/fork.c > index ded49f18cd95..c57cb3ad9931 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task) > } > EXPORT_SYMBOL_GPL(get_task_mm); > > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode) > +{ > + if (mm == current->mm) > + return true; > + if ((mode & PTRACE_MODE_READ) && perfmon_capable()) > + return true; Just fyi, I suspect that this will trigger new audit denials if the task doesn't have CAP_SYS_ADMIN or CAP_PERFORM in the initial user namespace but where it would still have access through ptrace_may_access(). Such changes have led to complaints before. I'm not sure how likely that is but it might be noticable. If that's the case ns_capable_noaudit(&init_user_ns, ...) would help. > + return ptrace_may_access(task, mode); > +} > + > struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) > { > struct mm_struct *mm; > @@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) > mm = get_task_mm(task); > if (!mm) { > mm = ERR_PTR(-ESRCH); > - } else if (mm != current->mm && !ptrace_may_access(task, mode)) { > + } else if (!can_access_mm(mm, task, mode)) { > mmput(mm); > mm = ERR_PTR(-EACCES); > } > -- > 2.43.5 >