patches/old/mmprocfs-allow-read-only-remote-mm-access-under-cap_perfmon.patch - pub/scm/linux/kernel/git/akpm/25-new - Git at Google

 From: Andrii Nakryiko <andrii@kernel.org>
 Subject: mm,procfs: allow read-only remote mm access under CAP_PERFMON
 Date: Mon, 27 Jan 2025 14:21:14 -0800

 It's very common for various tracing and profiling toolis to need to
 access /proc/PID/maps contents for stack symbolization needs to learn
 which shared libraries are mapped in memory, at which file offset, etc.
 Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we are
 looking at data for our own process, which is a trivial case not too
 relevant for profilers use cases).

 Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
 discover memory layout of another process: it allows to fully control
 arbitrary other processes.  This is problematic from security POV for
 applications that only need read-only /proc/PID/maps (and other similar
 read-only data) access, and in large production settings CAP_SYS_PTRACE is
 frowned upon even for the system-wide profilers.

 On the other hand, it's already possible to access similar kind of
 information (and more) with just CAP_PERFMON capability.  E.g., setting up
 PERF_RECORD_MMAP collection through perf_event_open() would give one
 similar information to what /proc/PID/maps provides.

 CAP_PERFMON, together with CAP_BPF, is already a very common combination
 for system-wide profiling and observability application.  As such, it's
 reasonable and convenient to be able to access /proc/PID/maps with
 CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.

 For procfs, these permissions are checked through common mm_access()
 helper, and so we augment that with cap_perfmon() check *only* if
 requested mode is PTRACE_MODE_READ.  I.e., PTRACE_MODE_ATTACH wouldn't be
 permitted by CAP_PERFMON.  So /proc/PID/mem, which uses
 PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but /proc/PID/maps,
 /proc/PID/environ, and a bunch of other read-only contents will be
 allowable under CAP_PERFMON.

 Besides procfs itself, mm_access() is used by process_madvise() and
 process_vm_{readv,writev}() syscalls.  The former one uses
 PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
 seems like a meaningful allowable capability as well.

 process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
 permissions (though for readv PTRACE_MODE_READ seems more reasonable, but
 that's outside the scope of this change), and as such won't be affected by
 this patch.

 Link: https://lkml.kernel.org/r/20250127222114.1132392-1-andrii@kernel.org
 Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
 Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
 Acked-by: Ingo Molnar <mingo@kernel.org>
 Cc: Al Viro <viro@zeniv.linux.org.uk>
 Cc: Christian Brauner <brauner@kernel.org>
 Cc: Jann Horn <jannh@google.com>
 Cc: Kees Cook <kees@kernel.org>
 Cc: Liam Howlett <liam.howlett@oracle.com>
 Cc: "Mike Rapoport (IBM)" <rppt@kernel.org>
 Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
 Cc: Suren Baghdasaryan <surenb@google.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 ---

  kernel/fork.c |   13 ++++++++++++-
  1 file changed, 12 insertions(+), 1 deletion(-)

 --- a/kernel/fork.c~mmprocfs-allow-read-only-remote-mm-access-under-cap_perfmon
 +++ a/kernel/fork.c
 @@ -1559,6 +1559,17 @@ struct mm_struct *get_task_mm(struct tas
  }
  EXPORT_SYMBOL_GPL(get_task_mm);

 +static bool may_access_mm(struct mm_struct *mm, struct task_struct *task, unsigned int mode)
 +{
 +	if (mm == current->mm)
 +		return true;
 +	if (ptrace_may_access(task, mode))
 +		return true;
 +	if ((mode & PTRACE_MODE_READ) && perfmon_capable())
 +		return true;
 +	return false;
 +}
 +
  struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
  {
  	struct mm_struct *mm;
 @@ -1571,7 +1582,7 @@ struct mm_struct *mm_access(struct task_
  	mm = get_task_mm(task);
  	if (!mm) {
  		mm = ERR_PTR(-ESRCH);
 -	} else if (mm != current->mm && !ptrace_may_access(task, mode)) {
 +	} else if (!may_access_mm(mm, task, mode)) {
  		mmput(mm);
  		mm = ERR_PTR(-EACCES);
  	}
 _
	From: Andrii Nakryiko <andrii@kernel.org>
	Subject: mm,procfs: allow read-only remote mm access under CAP_PERFMON
	Date: Mon, 27 Jan 2025 14:21:14 -0800

	It's very common for various tracing and profiling toolis to need to
	access /proc/PID/maps contents for stack symbolization needs to learn
	which shared libraries are mapped in memory, at which file offset, etc.
	Currently, access to /proc/PID/maps requires CAP_SYS_PTRACE (unless we are
	looking at data for our own process, which is a trivial case not too
	relevant for profilers use cases).

	Unfortunately, CAP_SYS_PTRACE implies way more than just ability to
	discover memory layout of another process: it allows to fully control
	arbitrary other processes. This is problematic from security POV for
	applications that only need read-only /proc/PID/maps (and other similar
	read-only data) access, and in large production settings CAP_SYS_PTRACE is
	frowned upon even for the system-wide profilers.

	On the other hand, it's already possible to access similar kind of
	information (and more) with just CAP_PERFMON capability. E.g., setting up
	PERF_RECORD_MMAP collection through perf_event_open() would give one
	similar information to what /proc/PID/maps provides.

	CAP_PERFMON, together with CAP_BPF, is already a very common combination
	for system-wide profiling and observability application. As such, it's
	reasonable and convenient to be able to access /proc/PID/maps with
	CAP_PERFMON capabilities instead of CAP_SYS_PTRACE.

	For procfs, these permissions are checked through common mm_access()
	helper, and so we augment that with cap_perfmon() check only if
	requested mode is PTRACE_MODE_READ. I.e., PTRACE_MODE_ATTACH wouldn't be
	permitted by CAP_PERFMON. So /proc/PID/mem, which uses
	PTRACE_MODE_ATTACH, won't be permitted by CAP_PERFMON, but /proc/PID/maps,
	/proc/PID/environ, and a bunch of other read-only contents will be
	allowable under CAP_PERFMON.

	Besides procfs itself, mm_access() is used by process_madvise() and
	process_vm_{readv,writev}() syscalls. The former one uses
	PTRACE_MODE_READ to avoid leaking ASLR metadata, and as such CAP_PERFMON
	seems like a meaningful allowable capability as well.

	process_vm_{readv,writev} currently assume PTRACE_MODE_ATTACH level of
	permissions (though for readv PTRACE_MODE_READ seems more reasonable, but
	that's outside the scope of this change), and as such won't be affected by
	this patch.

	Link: https://lkml.kernel.org/r/20250127222114.1132392-1-andrii@kernel.org
	Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
	Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
	Acked-by: Ingo Molnar <mingo@kernel.org>
	Cc: Al Viro <viro@zeniv.linux.org.uk>
	Cc: Christian Brauner <brauner@kernel.org>
	Cc: Jann Horn <jannh@google.com>
	Cc: Kees Cook <kees@kernel.org>
	Cc: Liam Howlett <liam.howlett@oracle.com>
	Cc: "Mike Rapoport (IBM)" <rppt@kernel.org>
	Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
	Cc: Suren Baghdasaryan <surenb@google.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	---

	kernel/fork.c \| 13 ++++++++++++-
	1 file changed, 12 insertions(+), 1 deletion(-)

	--- a/kernel/fork.c~mmprocfs-allow-read-only-remote-mm-access-under-cap_perfmon
	+++ a/kernel/fork.c
	@@ -1559,6 +1559,17 @@ struct mm_struct *get_task_mm(struct tas
	}
	EXPORT_SYMBOL_GPL(get_task_mm);

	+static bool may_access_mm(struct mm_struct mm, struct task_struct task, unsigned int mode)
	+{
	+ if (mm == current->mm)
	+ return true;
	+ if (ptrace_may_access(task, mode))
	+ return true;
	+ if ((mode & PTRACE_MODE_READ) && perfmon_capable())
	+ return true;
	+ return false;
	+}
	+
	struct mm_struct mm_access(struct task_struct task, unsigned int mode)
	{
	struct mm_struct *mm;
	@@ -1571,7 +1582,7 @@ struct mm_struct *mm_access(struct task_
	mm = get_task_mm(task);
	if (!mm) {
	mm = ERR_PTR(-ESRCH);
	- } else if (mm != current->mm && !ptrace_may_access(task, mode)) {
	+ } else if (!may_access_mm(mm, task, mode)) {
	mmput(mm);
	mm = ERR_PTR(-EACCES);
	}
	_