[PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Andrii Nakryiko]

It's very common for various tracing and profiling toolis to need to
access /proc/PID/maps contents for stack symbolization needs to learn
which shared libraries are mapped in memory, at which file offset, etc.
Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
are looking at data for our own process, which is a trivial case not too
relevant for profilers use cases).

Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
discover memory layout of another process: it allows to fully control
arbitrary other processes. This is problematic from security POV for
applications that only need read-only /proc/PID/maps (and other similar
read-only data) access, and in large production settings CAP_SYS_PTRACE
is frowned upon even for the system-wide profilers.

On the other hand, it's already possible to access similar kind of
information (and more) with just CAP_PERFMON capability. E.g., setting
up PERF_RECORD_MMAP collection through perf_event_open() would give one
similar information to what /proc/PID/maps provides.

CAP_PERFMON, together with CAP_BPF, is already a very common combination
for system-wide profiling and observability application. As such, it's
reasonable and convenient to be able to access /proc/PID/maps with
CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.

For procfs, these permissions are checked through common mm_access()
helper, and so we augment that with cap_perfmon() check *only* if
requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
permitted by CAP_PERFMON. So /proc/PID/mem, which uses
PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but
/proc/PID/maps, /proc/PID/environ, and a bunch of other read-only
contents will be allowable under CAP_PERFMON.

Besides procfs itself, mm_access() is used by process_madvise() and
process_vm_{readv,writev}() syscalls. The former one uses
PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
seems like a meaningful allowable capability as well.

process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
permissions (though for readv PTRACE_MODE_READ seems more reasonable,
but that's outside the scope of this change), and as such won't be
affected by this patch.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
v1->v2:
  - expanded commit message a bit more about PTRACE_MODE_ATTACH vs
    PTRACE_MODE_READ uses inside procfs; left the generic logic untouched, as
    it still seems generally meaningful to allow CAP_PERFMON for read-only
    memory access, given its use within perf and BPF subsystems;
  - moved perfmon_capable() check after ptrace_may_access() to minimize the
    worry of extra audit messages where CAP_SYS_PTRACE would be provided
    (Christian);
  - s/can/may/_access_mm rename (Kees);

 kernel/fork.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index ded49f18cd95..452018f752a1 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1547,6 +1547,17 @@ struct mm_struct *get_task_mm(struct task_struct *task)
 }
 EXPORT_SYMBOL_GPL(get_task_mm);
 
+static bool may_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
+{
+	if (mm == current->mm)
+		return true;
+	if (ptrace_may_access(task, mode))
+		return true;
+	if ((mode & PTRACE_MODE_READ) && perfmon_capable())
+		return true;
+	return false;
+}
+
 struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
 {
 	struct mm_struct *mm;
@@ -1559,7 +1570,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
 	mm = get_task_mm(task);
 	if (!mm) {
 		mm = ERR_PTR(-ESRCH);
-	} else if (mm != current->mm && !ptrace_may_access(task, mode)) {
+	} else if (!may_access_mm(mm, task, mode)) {
 		mmput(mm);
 		mm = ERR_PTR(-EACCES);
 	}
-- 
2.43.5

Re: [PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Andrew Morton]

On Mon, 27 Jan 2025 14:21:14 -0800 Andrii Nakryiko <andrii@kernel.org> wrote:

> It's very common for various tracing and profiling toolis to need to
> access /proc/PID/maps contents for stack symbolization needs to learn
> which shared libraries are mapped in memory, at which file offset, etc.
> Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> are looking at data for our own process, which is a trivial case not too
> relevant for profilers use cases).
> 
> Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> discover memory layout of another process: it allows to fully control
> arbitrary other processes. This is problematic from security POV for
> applications that only need read-only /proc/PID/maps (and other similar
> read-only data) access, and in large production settings CAP_SYS_PTRACE
> is frowned upon even for the system-wide profilers.
> 
> On the other hand, it's already possible to access similar kind of
> information (and more) with just CAP_PERFMON capability. E.g., setting
> up PERF_RECORD_MMAP collection through perf_event_open() would give one
> similar information to what /proc/PID/maps provides.
> 
> CAP_PERFMON, together with CAP_BPF, is already a very common combination
> for system-wide profiling and observability application. As such, it's
> reasonable and convenient to be able to access /proc/PID/maps with
> CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> 
> For procfs, these permissions are checked through common mm_access()
> helper, and so we augment that with cap_perfmon() check *only* if
> requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> permitted by CAP_PERFMON. So /proc/PID/mem, which uses
> PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but
> /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only
> contents will be allowable under CAP_PERFMON.
> 
> Besides procfs itself, mm_access() is used by process_madvise() and
> process_vm_{readv,writev}() syscalls. The former one uses
> PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> seems like a meaningful allowable capability as well.
> 
> process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> but that's outside the scope of this change), and as such won't be
> affected by this patch.
> 

This should be documented somewhere, so we can tell our users what we
did.  Documentation/filesystems/proc.rst seems to be the place.  .

Re: [PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Andrii Nakryiko]

On Mon, Jan 27, 2025 at 4:41 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Mon, 27 Jan 2025 14:21:14 -0800 Andrii Nakryiko <andrii@kernel.org> wrote:
>
> > It's very common for various tracing and profiling toolis to need to
> > access /proc/PID/maps contents for stack symbolization needs to learn
> > which shared libraries are mapped in memory, at which file offset, etc.
> > Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> > are looking at data for our own process, which is a trivial case not too
> > relevant for profilers use cases).
> >
> > Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> > discover memory layout of another process: it allows to fully control
> > arbitrary other processes. This is problematic from security POV for
> > applications that only need read-only /proc/PID/maps (and other similar
> > read-only data) access, and in large production settings CAP_SYS_PTRACE
> > is frowned upon even for the system-wide profilers.
> >
> > On the other hand, it's already possible to access similar kind of
> > information (and more) with just CAP_PERFMON capability. E.g., setting
> > up PERF_RECORD_MMAP collection through perf_event_open() would give one
> > similar information to what /proc/PID/maps provides.
> >
> > CAP_PERFMON, together with CAP_BPF, is already a very common combination
> > for system-wide profiling and observability application. As such, it's
> > reasonable and convenient to be able to access /proc/PID/maps with
> > CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> >
> > For procfs, these permissions are checked through common mm_access()
> > helper, and so we augment that with cap_perfmon() check *only* if
> > requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> > permitted by CAP_PERFMON. So /proc/PID/mem, which uses
> > PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but
> > /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only
> > contents will be allowable under CAP_PERFMON.
> >
> > Besides procfs itself, mm_access() is used by process_madvise() and
> > process_vm_{readv,writev}() syscalls. The former one uses
> > PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> > seems like a meaningful allowable capability as well.
> >
> > process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> > permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> > but that's outside the scope of this change), and as such won't be
> > affected by this patch.
> >
>
> This should be documented somewhere, so we can tell our users what we
> did.  Documentation/filesystems/proc.rst seems to be the place.  .

Wow, that's a big file :) Funny enough, that file mentions ptrace only
in the context of /proc/<pid>/timerslack_ns, nothing else. Hm.. Should
I add a common section saying something about how either
CAP_SYS_PTRACE or CAP_PERFMON provides access to other process' user
space information?

If that's ok, I can send that as a follow up patch (as I bet there
will be a bunch of iteration on exact form, shape, wording,
placement).

Re: [PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Shakeel Butt]

On Mon, Jan 27, 2025 at 02:21:14PM -0800, Andrii Nakryiko wrote:
> It's very common for various tracing and profiling toolis to need to
> access /proc/PID/maps contents for stack symbolization needs to learn
> which shared libraries are mapped in memory, at which file offset, etc.
> Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> are looking at data for our own process, which is a trivial case not too
> relevant for profilers use cases).
> 
> Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> discover memory layout of another process: it allows to fully control
> arbitrary other processes. This is problematic from security POV for
> applications that only need read-only /proc/PID/maps (and other similar
> read-only data) access, and in large production settings CAP_SYS_PTRACE
> is frowned upon even for the system-wide profilers.
> 
> On the other hand, it's already possible to access similar kind of
> information (and more) with just CAP_PERFMON capability. E.g., setting
> up PERF_RECORD_MMAP collection through perf_event_open() would give one
> similar information to what /proc/PID/maps provides.
> 
> CAP_PERFMON, together with CAP_BPF, is already a very common combination
> for system-wide profiling and observability application. As such, it's
> reasonable and convenient to be able to access /proc/PID/maps with
> CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> 
> For procfs, these permissions are checked through common mm_access()
> helper, and so we augment that with cap_perfmon() check *only* if
> requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> permitted by CAP_PERFMON. So /proc/PID/mem, which uses
> PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but
> /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only
> contents will be allowable under CAP_PERFMON.
> 
> Besides procfs itself, mm_access() is used by process_madvise() and
> process_vm_{readv,writev}() syscalls. The former one uses
> PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> seems like a meaningful allowable capability as well.
> 
> process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> but that's outside the scope of this change), and as such won't be
> affected by this patch.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>

Re: [PATCH v2] mm,procfs: allow read-only remote mm access under CAP_PERFMON

[Ingo Molnar]

* Andrii Nakryiko <andrii@kernel.org> wrote:

> It's very common for various tracing and profiling toolis to need to
> access /proc/PID/maps contents for stack symbolization needs to learn
> which shared libraries are mapped in memory, at which file offset, etc.
> Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we
> are looking at data for our own process, which is a trivial case not too
> relevant for profilers use cases).
> 
> Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
> discover memory layout of another process: it allows to fully control
> arbitrary other processes. This is problematic from security POV for
> applications that only need read-only /proc/PID/maps (and other similar
> read-only data) access, and in large production settings CAP_SYS_PTRACE
> is frowned upon even for the system-wide profilers.
> 
> On the other hand, it's already possible to access similar kind of
> information (and more) with just CAP_PERFMON capability. E.g., setting
> up PERF_RECORD_MMAP collection through perf_event_open() would give one
> similar information to what /proc/PID/maps provides.
> 
> CAP_PERFMON, together with CAP_BPF, is already a very common combination
> for system-wide profiling and observability application. As such, it's
> reasonable and convenient to be able to access /proc/PID/maps with
> CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.
> 
> For procfs, these permissions are checked through common mm_access()
> helper, and so we augment that with cap_perfmon() check *only* if
> requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
> permitted by CAP_PERFMON. So /proc/PID/mem, which uses
> PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but
> /proc/PID/maps, /proc/PID/environ, and a bunch of other read-only
> contents will be allowable under CAP_PERFMON.
> 
> Besides procfs itself, mm_access() is used by process_madvise() and
> process_vm_{readv,writev}() syscalls. The former one uses
> PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
> seems like a meaningful allowable capability as well.
> 
> process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
> permissions (though for readv PTRACE_MODE_READ seems more reasonable,
> but that's outside the scope of this change), and as such won't be
> affected by this patch.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Acked-by: Ingo Molnar <mingo@kernel.org>

Thanks,

	Ingo