| Message ID | 20250127222114.1132392-1-andrii@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON | expand |
On Mon, 27 Jan 2025 14:21:14 -0800 Andrii Nakryiko <andrii@kernel.org> wrote: > It's very common for various tracing and profiling toolis to need to > access /proc/PID/maps contents for stack symbolization needs to learn > which shared libraries are mapped in memory, at which file offset, etc. > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > are looking at data for our own process, which is a trivial case not too > relevant for profilers use cases). > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > discover memory layout of another process: it allows to fully control > arbitrary other processes. This is problematic from security POV for > applications that only need read-only /proc/PID/maps (and other similar > read-only data) access, and in large production settings CAP_SYS_PTRACE > is frowned upon even for the system-wide profilers. > > On the other hand, it's already possible to access similar kind of > information (and more) with just CAP_PERFMON capability. E.g., setting > up PERF_RECORD_MMAP collection through perf_event_open() would give one > similar information to what /proc/PID/maps provides. > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > for system-wide profiling and observability application. As such, it's > reasonable and convenient to be able to access /proc/PID/maps with > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > For procfs, these permissions are checked through common mm_access() > helper, and so we augment that with cap_perfmon() check *only* if > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > permitted by CAP_PERFMON. So /proc/PID/mem, which uses > PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but > /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only > contents will be allowable under CAP_PERFMON. > > Besides procfs itself, mm_access() is used by process_madvise() and > process_vm_{readv,writev}() syscalls. The former one uses > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > seems like a meaningful allowable capability as well. > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > but that's outside the scope of this change), and as such won't be > affected by this patch. > This should be documented somewhere, so we can tell our users what we did. Documentation/filesystems/proc.rst seems to be the place. .
On Mon, Jan 27, 2025 at 4:41 PM Andrew Morton <akpm@linux-foundation.org> wrote: > > On Mon, 27 Jan 2025 14:21:14 -0800 Andrii Nakryiko <andrii@kernel.org> wrote: > > > It's very common for various tracing and profiling toolis to need to > > access /proc/PID/maps contents for stack symbolization needs to learn > > which shared libraries are mapped in memory, at which file offset, etc. > > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > > are looking at data for our own process, which is a trivial case not too > > relevant for profilers use cases). > > > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > > discover memory layout of another process: it allows to fully control > > arbitrary other processes. This is problematic from security POV for > > applications that only need read-only /proc/PID/maps (and other similar > > read-only data) access, and in large production settings CAP_SYS_PTRACE > > is frowned upon even for the system-wide profilers. > > > > On the other hand, it's already possible to access similar kind of > > information (and more) with just CAP_PERFMON capability. E.g., setting > > up PERF_RECORD_MMAP collection through perf_event_open() would give one > > similar information to what /proc/PID/maps provides. > > > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > > for system-wide profiling and observability application. As such, it's > > reasonable and convenient to be able to access /proc/PID/maps with > > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > > > For procfs, these permissions are checked through common mm_access() > > helper, and so we augment that with cap_perfmon() check *only* if > > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > > permitted by CAP_PERFMON. So /proc/PID/mem, which uses > > PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but > > /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only > > contents will be allowable under CAP_PERFMON. > > > > Besides procfs itself, mm_access() is used by process_madvise() and > > process_vm_{readv,writev}() syscalls. The former one uses > > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > > seems like a meaningful allowable capability as well. > > > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > > but that's outside the scope of this change), and as such won't be > > affected by this patch. > > > > This should be documented somewhere, so we can tell our users what we > did. Documentation/filesystems/proc.rst seems to be the place. . Wow, that's a big file :) Funny enough, that file mentions ptrace only in the context of /proc/<pid>/timerslack_ns, nothing else. Hm.. Should I add a common section saying something about how either CAP_SYS_PTRACE or CAP_PERFMON provides access to other process' user space information? If that's ok, I can send that as a follow up patch (as I bet there will be a bunch of iteration on exact form, shape, wording, placement).
On Mon, Jan 27, 2025 at 02:21:14PM -0800, Andrii Nakryiko wrote: > It's very common for various tracing and profiling toolis to need to > access /proc/PID/maps contents for stack symbolization needs to learn > which shared libraries are mapped in memory, at which file offset, etc. > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we > are looking at data for our own process, which is a trivial case not too > relevant for profilers use cases). > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to > discover memory layout of another process: it allows to fully control > arbitrary other processes. This is problematic from security POV for > applications that only need read-only /proc/PID/maps (and other similar > read-only data) access, and in large production settings CAP_SYS_PTRACE > is frowned upon even for the system-wide profilers. > > On the other hand, it's already possible to access similar kind of > information (and more) with just CAP_PERFMON capability. E.g., setting > up PERF_RECORD_MMAP collection through perf_event_open() would give one > similar information to what /proc/PID/maps provides. > > CAP_PERFMON, together with CAP_BPF, is already a very common combination > for system-wide profiling and observability application. As such, it's > reasonable and convenient to be able to access /proc/PID/maps with > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. > > For procfs, these permissions are checked through common mm_access() > helper, and so we augment that with cap_perfmon() check *only* if > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be > permitted by CAP_PERFMON. So /proc/PID/mem, which uses > PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but > /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only > contents will be allowable under CAP_PERFMON. > > Besides procfs itself, mm_access() is used by process_madvise() and > process_vm_{readv,writev}() syscalls. The former one uses > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON > seems like a meaningful allowable capability as well. > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of > permissions (though for readv PTRACE_MODE_READ seems more reasonable, > but that's outside the scope of this change), and as such won't be > affected by this patch. > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
diff --git a/kernel/fork.c b/kernel/fork.c index ded49f18cd95..452018f752a1 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1547,6 +1547,17 @@ struct mm_struct *get_task_mm(struct task_struct *task) } EXPORT_SYMBOL_GPL(get_task_mm); +static bool may_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode) +{ + if (mm == current->mm) + return true; + if (ptrace_may_access(task, mode)) + return true; + if ((mode & PTRACE_MODE_READ) && perfmon_capable()) + return true; + return false; +} + struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) { struct mm_struct *mm; @@ -1559,7 +1570,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) mm = get_task_mm(task); if (!mm) { mm = ERR_PTR(-ESRCH); - } else if (mm != current->mm && !ptrace_may_access(task, mode)) { + } else if (!may_access_mm(mm, task, mode)) { mmput(mm); mm = ERR_PTR(-EACCES); }
It's very common for various tracing and profiling toolis to need to access /proc/PID/maps contents for stack symbolization needs to learn which shared libraries are mapped in memory, at which file offset, etc. Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we are looking at data for our own process, which is a trivial case not too relevant for profilers use cases). Unfortunately, CAP_SYS_PTRACE implies way more than just ability to discover memory layout of another process: it allows to fully control arbitrary other processes. This is problematic from security POV for applications that only need read-only /proc/PID/maps (and other similar read-only data) access, and in large production settings CAP_SYS_PTRACE is frowned upon even for the system-wide profilers. On the other hand, it's already possible to access similar kind of information (and more) with just CAP_PERFMON capability. E.g., setting up PERF_RECORD_MMAP collection through perf_event_open() would give one similar information to what /proc/PID/maps provides. CAP_PERFMON, together with CAP_BPF, is already a very common combination for system-wide profiling and observability application. As such, it's reasonable and convenient to be able to access /proc/PID/maps with CAP_PERFMON capabilities instead of CAP_SYS_PTRACE. For procfs, these permissions are checked through common mm_access() helper, and so we augment that with cap_perfmon() check *only* if requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be permitted by CAP_PERFMON. So /proc/PID/mem, which uses PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only contents will be allowable under CAP_PERFMON. Besides procfs itself, mm_access() is used by process_madvise() and process_vm_{readv,writev}() syscalls. The former one uses PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON seems like a meaningful allowable capability as well. process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of permissions (though for readv PTRACE_MODE_READ seems more reasonable, but that's outside the scope of this change), and as such won't be affected by this patch. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> --- v1->v2: - expanded commit message a bit more about PTRACE_MODE_ATTACH vs PTRACE_MODE_READ uses inside procfs; left the generic logic untouched, as it still seems generally meaningful to allow CAP_PERFMON for read-only memory access, given its use within perf and BPF subsystems; - moved perfmon_capable() check after ptrace_may_access() to minimize the worry of extra audit messages where CAP_SYS_PTRACE would be provided (Christian); - s/can/may/_access_mm rename (Kees); kernel/fork.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)