| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzbGZHAmBYkPVHFH-M60p3Z4DyrZFeh6ZKZ7+isu+RmdqA@mail.gmail.com>
Date: Fri, 24 Jan 2025 09:31:53 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Christian Brauner <brauner@...nel.org>
Cc: Andrii Nakryiko <andrii@...nel.org>, linux-mm@...ck.org, akpm@...ux-foundation.org,
linux-fsdevel@...r.kernel.org, viro@...iv.linux.org.uk,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org, kernel-team@...a.com,
rostedt@...dmis.org, peterz@...radead.org, mingo@...nel.org,
linux-trace-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org,
shakeel.butt@...ux.dev, rppt@...nel.org, liam.howlett@...cle.com,
surenb@...gle.com
Subject: Re: [PATCH] mm,procfs: allow read-only remote mm access under CAP_PERFMON
On Fri, Jan 24, 2025 at 1:45 AM Christian Brauner <brauner@...nel.org> wrote:
>
> On Thu, Jan 23, 2025 at 01:43:42PM -0800, Andrii Nakryiko wrote:
> > It's very common for various tracing and profiling toolis to need to
> > access /proc/PID/maps contents for stack symbolization needs to learn
> > which shared libraries are mapped in memory, at which file offset, etc.
> > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > are looking at data for our own process, which is a trivial case not too
> > relevant for profilers use cases).
> >
> > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > discover memory layout of another process: it allows to fully control
> > arbitrary other processes. This is problematic from security POV for
> > applications that only need read-only /proc/PID/maps (and other similar
> > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > is frowned upon even for the system-wide profilers.
> >
> > On the other hand, it's already possible to access similar kind of
> > information (and more) with just CAP_PERFMON capability. E.g., setting
> > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > similar information to what /proc/PID/maps provides.
> >
> > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > for system-wide profiling and observability application. As such, it's
> > reasonable and convenient to be able to access /proc/PID/maps with
> > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> >
> > For procfs, these permissions are checked through common mm_access()
> > helper, and so we augment that with cap_perfmon() check *only* if
> > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > permitted by CAP_PERFMON.
> >
> > Besides procfs itself, mm_access() is used by process_madvise() and
> > process_vm_{readv,writev}() syscalls. The former one uses
> > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > seems like a meaningful allowable capability as well.
> >
> > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > but that's outside the scope of this change), and as such won't be
> > affected by this patch.
> >
> > Signed-off-by: Andrii Nakryiko <andrii@...nel.org>
> > ---
> > kernel/fork.c | 11 ++++++++++-
> > 1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index ded49f18cd95..c57cb3ad9931 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task)
> > }
> > EXPORT_SYMBOL_GPL(get_task_mm);
> >
> > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
> > +{
> > + if (mm == current->mm)
> > + return true;
> > + if ((mode & PTRACE_MODE_READ) && perfmon_capable())
> > + return true;
>
> Just fyi, I suspect that this will trigger new audit denials if the task
> doesn't have CAP_SYS_ADMIN or CAP_PERFORM in the initial user namespace
> but where it would still have access through ptrace_may_access(). Such
> changes have led to complaints before.
>
> I'm not sure how likely that is but it might be noticable. If that's the
> case ns_capable_noaudit(&init_user_ns, ...) would help.
Yep, thanks. Not sure if this is the problem, but I'm open to changing
this. I can also switch the order and do perfmon_capable() check after
ptrace_may_access() to mitigate this problem? I guess that's what I'm
going to do in v2.
>
> > + return ptrace_may_access(task, mode);
> > +}
> > +
> > struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > {
> > struct mm_struct *mm;
> > @@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > mm = get_task_mm(task);
> > if (!mm) {
> > mm = ERR_PTR(-ESRCH);
> > - } else if (mm != current->mm && !ptrace_may_access(task, mode)) {
> > + } else if (!can_access_mm(mm, task, mode)) {
> > mmput(mm);
> > mm = ERR_PTR(-EACCES);
> > }
> > --
> > 2.43.5
> >
Powered by blists - more mailing lists