Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON
From: Christian Brauner <brauner@kernel.org>
Date: 2025-01-24 09:45:56
Also in:
bpf, linux-fsdevel, linux-mm, linux-perf-users, lkml
On Thu, Jan 23, 2025 at 01:43:42PM -0800, Andrii Nakryiko wrote:
quoted hunk ↗ jump to hunk
It's very common for various tracing and profiling toolis to need to access /proc/PID/maps contents for stack symbolization needs to learn which shared libraries are mapped in memory, at which file offset, etc. Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we are looking at data for our own process, which is a trivial case not too relevant for profilers use cases). Unfortunately, CAP_SYS_PTRACE implies way more than just ability to discover memory layout of another process: it allows to fully control arbitrary other processes. This is problematic from security POV for applications that only need read-only /proc/PID/maps (and other similar read-only data) access, and in large production settings CAP_SYS_PTRACE is frowned upon even for the system-wide profilers. On the other hand, it's already possible to access similar kind of information (and more) with just CAP_PERFMON capability. E.g., setting up PERF_RECORD_MMAP collection through perf_event_open() would give one similar information to what /proc/PID/maps provides. CAP_PERFMON, together with CAP_BPF, is already a very common combination for system-wide profiling and observability application. As such, it's reasonable and convenient to be able to access /proc/PID/maps with CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. For procfs, these permissions are checked through common mm_access() helper, and so we augment that with cap_perfmon() check *only* if requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be permitted by CAP_PERFMON. Besides procfs itself, mm_access() is used by process_madvise() and process_vm_{readv,writev}() syscalls. The former one uses PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON seems like a meaningful allowable capability as well. process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of permissions (though for readv PTRACE_MODE_READ seems more reasonable, but that's outside the scope of this change), and as such won't be affected by this patch. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> --- kernel/fork.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)diff --git a/kernel/fork.c b/kernel/fork.c index ded49f18cd95..c57cb3ad9931 100644 --- a/kernel/fork.c +++ b/kernel/fork.c@@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task) } EXPORT_SYMBOL_GPL(get_task_mm); +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode) +{ + if (mm == current->mm) + return true; + if ((mode & PTRACE_MODE_READ) && perfmon_capable()) + return true;
Just fyi, I suspect that this will trigger new audit denials if the task doesn't have CAP_SYS_ADMIN or CAP_PERFORM in the initial user namespace but where it would still have access through ptrace_may_access(). Such changes have led to complaints before. I'm not sure how likely that is but it might be noticable. If that's the case ns_capable_noaudit(&init_user_ns, ...) would help.
quoted hunk ↗ jump to hunk
+ return ptrace_may_access(task, mode); +} + struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) { struct mm_struct *mm;@@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) mm = get_task_mm(task); if (!mm) { mm = ERR_PTR(-ESRCH); - } else if (mm != current->mm && !ptrace_may_access(task, mode)) { + } else if (!can_access_mm(mm, task, mode)) { mmput(mm); mm = ERR_PTR(-EACCES); }-- 2.43.5