From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81885C0218B for ; Fri, 24 Jan 2025 00:26:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D09536B00C9; Thu, 23 Jan 2025 19:26:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CB9856B00CA; Thu, 23 Jan 2025 19:26:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B814D280017; Thu, 23 Jan 2025 19:26:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 98DA96B00C9 for ; Thu, 23 Jan 2025 19:26:18 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 39155B0B22 for ; Fri, 24 Jan 2025 00:26:18 +0000 (UTC) X-FDA: 83040453636.10.72F9033 Received: from out-173.mta0.migadu.com (out-173.mta0.migadu.com [91.218.175.173]) by imf23.hostedemail.com (Postfix) with ESMTP id 2C097140002 for ; Fri, 24 Jan 2025 00:26:15 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="PB2gJI/7"; spf=pass (imf23.hostedemail.com: domain of shakeel.butt@linux.dev designates 91.218.175.173 as permitted sender) smtp.mailfrom=shakeel.butt@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737678376; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DTU+H9g9S1KRdaeFv8k4QBY+6+IjlyGyewpTM1VwtNY=; b=DxRB6k2qMzSHBsiqF5phE78Mt6ZZPtnDaYD5PEtIxDOZnq4vDz61FqTS8XSZA9KUaNDorP TgBp8EAv+abEWBxY1tzpdPe30Ek0E0UxFQEZ8PUl0gXhIrApIAxn00z6h8I6H+lWhEbTxK 3Q77iD7x/0ttwXVSioGrTKgKK1GvLuk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737678376; a=rsa-sha256; cv=none; b=oGTdqkDZvIa58teyDG9gTCKZZrXy9c/mIit40GVTzbLGa/p4e/qCB/gfkq4b6JE1Hau9ap vIzIZh8X8Hzh68xBjVRAeXV4elCJpmPJsgx2X3zFJyMatzGXwSJFc7OE9+FtagCxK/L0cW +lbNijJTpsds2wBqokg5v11TVXgQDrQ= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="PB2gJI/7"; spf=pass (imf23.hostedemail.com: domain of shakeel.butt@linux.dev designates 91.218.175.173 as permitted sender) smtp.mailfrom=shakeel.butt@linux.dev; dmarc=pass (policy=none) header.from=linux.dev Date: Thu, 23 Jan 2025 16:26:03 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1737678369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DTU+H9g9S1KRdaeFv8k4QBY+6+IjlyGyewpTM1VwtNY=; b=PB2gJI/7j1FYWc5IO92Q3ksRKeQcYUZw3wtN2haAUQuhJz6X8J3DJRlwEt1jV2CRNjmDlC lJTMKxToTNsnguEdrD/w/4g2TnAblI1CyPI7hbxX7ednkwhGBas6e0C+4UAT12GvwZzG+t W2rwFn0EYB4K+hVSDOOYfq9Y+O1U1W4= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Shakeel Butt To: Kees Cook Cc: Suren Baghdasaryan , Andrii Nakryiko , linux-mm@kvack.org, akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org, brauner@kernel.org, viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kernel-team@meta.com, rostedt@goodmis.org, peterz@infradead.org, mingo@kernel.org, linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, rppt@kernel.org, liam.howlett@oracle.com, Jann Horn , linux-security-module@vger.kernel.org Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON Message-ID: References: <20250123214342.4145818-1-andrii@kernel.org> <202501231526.A3C13EC5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <202501231526.A3C13EC5@keescook> X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 2C097140002 X-Stat-Signature: 3nh3zp91cme6wrpr3zs5qqzjw5og8wxg X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1737678375-840968 X-HE-Meta: U2FsdGVkX1/6RgbEGOeWMixBLjzGNWULusvqurhyUQfCbsKmjZHQnQVEa7GQtCKWeEjr6sBu0YFDpmPf0+L62PKjn1STyViz7QJbsrN8JoNXaqQAA/+Gqn9nM1iu4SC6y1bzmgWzk8SwOIHlG7EtpfVpDC/qxWYegMyuPWXskcdWeeDVs+ZAlRAidYuPhuS9qgYOBOI4ae4bWc487HC5ZD5WI/d3sNVI+cHPWRf/JQ9HgPuQhyWGGlyLyJnXzZfXFcFTrUWIEm8lwzaf8AsJ7aeN4oi6fhkoB3H2pS1aQ8VcBCNpz6DHtaRMMoJFWvpRlaYjvyq9tAd3w/L9LRtyMZt/AcwUU96R1vkw59iTlaWgPpWzE+UaUJyVZyjg5Z3uimO0zrC5ZDKIa3zlTZ1cDrOk7PmRUMWg5AYVFXG/OQBRdBEDX6nkpAaWHiKgdeRo/bf/OfzsPJ0eVclHbprd4gEOwohKUXlwbmdhO2YEDkd3DryArqvVsNkcaxzeTA1SwzlCorzJNLPz62QMBfVuvUtYMVOzF5TQKH8iOKmGAym38SteCnIcrcr7uH0KonwzlwRgqRWV6PCfQm1rAULCMkVnLRNTNkAxCDVcba5NXnmWvWxS1oOE8Q0udJRGs7OXb8FHFU8lRjaExF8X8dmLocOdp6+nb3ulS9jCjqF7f9jAApfN5n46/5R/J6fGmA0XM3dJggNGFx7ZSNdViCdW0lceQnKreH695vbY0V+JlTgdRdEDAzxl383w58heaHELLbCCKs4529RFCPXFvTaQwnwavoDyy89nui6FNYz4PS1iJSMLbM17VoXa2TeNjyrxqxRG4QMUutf+GU+RHq5UgDvSv0sea/lBwRp0p0FlcEHCeuTsouqZWfOy2i5TlepHFIXqsPl03QcZEbfcP4FxdZEuCgN0u8PivtEjDJ4Hqw+ottWRL/mxzZzP+yEQjPD98HbbTLdx6H6egtH5MGH ixYJIShN ms2YXlnrJK+eNyThPlS5BKIjvj55G3tdJcSl0Z/uoOJJoF/LmqnuBwxAPjEG2lV3mZ0vezO43cX+4ykS4OF6HuS82P8n9vHwZUXITM2fCTFTzM6gWcLqX4ZlwsE9aN3+Ykvu2QnPwrBLUf5ZXe6iCcUrqVb0HwO265TESnPJA50iDevl5xga/KyW2i5JfuKTfDcLTPZHdhve+Q2ZitT31g2/YMSsiDIES6WWPkBH3Mzxd7kFPXvfmIv1kkXc7O/nIQdimKjbjyIGeOG4PvpXUdRzX4Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 23, 2025 at 03:47:44PM -0800, Kees Cook wrote: > On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote: > > On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko wrote: > > > > > > It's very common for various tracing and profiling toolis to need to > > > access /proc/PID/maps contents for stack symbolization needs to learn > > > which shared libraries are mapped in memory, at which file offset, etc. > > > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > > > are looking at data for our own process, which is a trivial case not too > > > relevant for profilers use cases). > > > > > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > > > discover memory layout of another process: it allows to fully control > > > arbitrary other processes. This is problematic from security POV for > > > applications that only need read-only /proc/PID/maps (and other similar > > > read-only data) access, and in large production settings CAP_SYS_PTRACE > > > is frowned upon even for the system-wide profilers. > > > > > > On the other hand, it's already possible to access similar kind of > > > information (and more) with just CAP_PERFMON capability. E.g., setting > > > up PERF_RECORD_MMAP collection through perf_event_open() would give one > > > similar information to what /proc/PID/maps provides. > > > > > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > > > for system-wide profiling and observability application. As such, it's > > > reasonable and convenient to be able to access /proc/PID/maps with > > > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > > > > > For procfs, these permissions are checked through common mm_access() > > > helper, and so we augment that with cap_perfmon() check *only* if > > > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > > > permitted by CAP_PERFMON. > > > > > > Besides procfs itself, mm_access() is used by process_madvise() and > > > process_vm_{readv,writev}() syscalls. The former one uses > > > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > > > seems like a meaningful allowable capability as well. > > > > > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > > > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > > > but that's outside the scope of this change), and as such won't be > > > affected by this patch. > > > > CC'ing Jann and Kees. > > > > > > > > Signed-off-by: Andrii Nakryiko > > > --- > > > kernel/fork.c | 11 ++++++++++- > > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > > > diff --git a/kernel/fork.c b/kernel/fork.c > > > index ded49f18cd95..c57cb3ad9931 100644 > > > --- a/kernel/fork.c > > > +++ b/kernel/fork.c > > > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task) > > > } > > > EXPORT_SYMBOL_GPL(get_task_mm); > > > > > > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode) > > > +{ > > > + if (mm == current->mm) > > > + return true; > > > + if ((mode & PTRACE_MODE_READ) && perfmon_capable()) > > > + return true; > > > + return ptrace_may_access(task, mode); > > > +} > > nit: "may" tends to be used more than "can" for access check function naming. > > So, this will bypass security_ptrace_access_check() within > ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility > into. > > It also bypasses the dumpability check in __ptrace_may_access(). (Should > non-dumpability block visibility into "maps" under CAP_PERFMON?) > > This change provides read access for CAP_PERFMON to: > > /proc/$pid/maps > /proc/$pid/smaps > /proc/$pid/mem > /proc/$pid/environ > /proc/$pid/auxv > /proc/$pid/attr/* > /proc/$pid/smaps_rollup > /proc/$pid/pagemap > > /proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ > and auxv maybe too much also. The "attr" files seem iffy. pagemap may be > reasonable. >From what I understand, PTRACE_MODE_ATTACH is used for /proc/$pid/mem, so this patch is not changing anything. However for environ and auxv, PTRACE_MODE_READ is being used, so they will be accessible for CAP_PERFMON. What's your reason behind too much for environ and auxv?