On Thu, Jan 23, 2025 at 3:47 PM Kees Cook <kees@xxxxxxxxxx> wrote:
>
> On Thu, Jan 23, 2025 at 01:52:52PM -0800, Suren Baghdasaryan wrote:
> > On Thu, Jan 23, 2025 at 1:44 PM Andrii Nakryiko <andrii@xxxxxxxxxx> wrote:
> > >
> > > It's very common for various tracing and profiling toolis to need to
> > > access /proc/PID/maps contents for stack symbolization needs to learn
> > > which shared libraries are mapped in memory, at which file offset, etc.
> > > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > > are looking at data for our own process, which is a trivial case not too
> > > relevant for profilers use cases).
> > >
> > > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > > discover memory layout of another process: it allows to fully control
> > > arbitrary other processes. This is problematic from security POV for
> > > applications that only need read-only /proc/PID/maps (and other similar
> > > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > > is frowned upon even for the system-wide profilers.
> > >
> > > On the other hand, it's already possible to access similar kind of
> > > information (and more) with just CAP_PERFMON capability. E.g., setting
> > > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > > similar information to what /proc/PID/maps provides.
> > >
> > > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > > for system-wide profiling and observability application. As such, it's
> > > reasonable and convenient to be able to access /proc/PID/maps with
> > > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> > >
> > > For procfs, these permissions are checked through common mm_access()
> > > helper, and so we augment that with cap_perfmon() check *only* if
> > > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > > permitted by CAP_PERFMON.
> > >
> > > Besides procfs itself, mm_access() is used by process_madvise() and
> > > process_vm_{readv,writev}() syscalls. The former one uses
> > > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > > seems like a meaningful allowable capability as well.
> > >
> > > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > > but that's outside the scope of this change), and as such won't be
> > > affected by this patch.
> >
> > CC'ing Jann and Kees.
> >
> > >
> > > Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> > > ---
> > > kernel/fork.c | 11 ++++++++++-
> > > 1 file changed, 10 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/kernel/fork.c b/kernel/fork.c
> > > index ded49f18cd95..c57cb3ad9931 100644
> > > --- a/kernel/fork.c
> > > +++ b/kernel/fork.c
> > > @@ -1547,6 +1547,15 @@ struct mm_struct *get_task_mm(struct task_struct *task)
> > > }
> > > EXPORT_SYMBOL_GPL(get_task_mm);
> > >
> > > +static bool can_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
> > > +{
> > > + if (mm == current->mm)
> > > + return true;
> > > + if ((mode & PTRACE_MODE_READ) && perfmon_capable())
> > > + return true;
> > > + return ptrace_may_access(task, mode);
> > > +}
>
> nit: "may" tends to be used more than "can" for access check function naming.
good point, will change to "may"
>
> So, this will bypass security_ptrace_access_check() within
> ptrace_may_access(). CAP_PERFMON may be something LSMs want visibility
> into.
yeah, similar to perf's perf_check_permission() (though, admittedly,
perf has its own security_perf_event_open(&attr, PERF_SECURITY_OPEN)
check much earlier in perf_event_open() logic)
>
> It also bypasses the dumpability check in __ptrace_may_access(). (Should
> non-dumpability block visibility into "maps" under CAP_PERFMON?)
With perf_event_open() and PERF_RECORD_MMAP none of this dumpability
is honored today as well, so I think CAP_PERFMON should override all
these ptrace things here, no?
>
> This change provides read access for CAP_PERFMON to:
>
> /proc/$pid/maps
> /proc/$pid/smaps
> /proc/$pid/mem
> /proc/$pid/environ
> /proc/$pid/auxv
> /proc/$pid/attr/*
> /proc/$pid/smaps_rollup
> /proc/$pid/pagemap
>
> /proc/$pid/mem access seems way out of bounds for CAP_PERFMON. environ
> and auxv maybe too much also. The "attr" files seem iffy. pagemap may be
> reasonable.
As Shakeel pointed out, /proc/PID/mem is PTRACE_MODE_ATTACH, so won't
be permitted under CAP_PERFMON either.
Don't really know what auxv is, but I could read all that with BPF if
I had CAP_PERFMON, for any task, so not like we are opening up new
possibilities here.
>
> Gaining CAP_PERFMON access to *only* the "maps" file doesn't seem too
> bad to me, but I think the proposed patch ends up providing way too wide
> access to other things.
I do care about maps mostly, yes, but I also wanted to avoid
duplicating all that mm_access() logic just for maps (and probably
smaps, they are the same data). But again, CAP_PERFMON basically means
read-only tracing access to anything within kernel and any user
process, so it felt appropriate to allow CAP_PERFMON here.
>
> Also, this is doing an init-namespace capability check for
> CAP_PERFMON (via perfmon_capable()). Shouldn't this be per-namespace?
CAP_PERFMON isn't namespaced as far as perf_event_open() is concerned,
so at least for that reason I don't want to relax the requirement
here. Namespacing CAP_PERFMON in general is interesting and I bet
there are users that would appreciate that, but that's an entire epic
journey we probably don't want to start here.
>
> -Kees
>
> > > +
> > > struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > > {
> > > struct mm_struct *mm;
> > > @@ -1559,7 +1568,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
> > > mm = get_task_mm(task);
> > > if (!mm) {
> > > mm = ERR_PTR(-ESRCH);
> > > - } else if (mm != current->mm && !ptrace_may_access(task, mode)) {
> > > + } else if (!can_access_mm(mm, task, mode)) {
> > > mmput(mm);
> > > mm = ERR_PTR(-EACCES);
> > > }
> > > --
> > > 2.43.5
> > >
>
> --
> Kees Cook
