From: Isaac Boukris <iboukris@gmail.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>,
dev@dpdk.org, stable@dpdk.org,
Boris Ouretskey <borisusun@gmail.com>,
Bruce Richardson <bruce.richardson@intel.com>
Subject: Re: [PATCH] doc: add capability to access physical addresses
Date: Sun, 15 Jan 2023 08:20:39 +0200 [thread overview]
Message-ID: <CAC-fF8RmL+sYTcRWpdUcnkgFLZf4Q_47Yb9DwZH-v+GY6ULPGA@mail.gmail.com> (raw)
In-Reply-To: <20230114182752.0fa60bf7@hermes.local>
On Sun, Jan 15, 2023 at 4:27 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> On Sun, 15 Jan 2023 01:58:02 +0300
> Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
>
> > CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap,
> > but it was missing from the Linux guide, causing issues for users.
> >
> > Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
> > Reported-by: Boris Ouretskey <borisusun@gmail.com>
> > Reported-by: Isaac Boukris <iboukris@gmail.com>
>
> DAC_OVERRIDE is like having the master key. It opens all doors
> and if so, running as non-root really doesn't matter that much.
The cap_sys_admin also seems heavy but I guessed it is still better
than full root.
> Ideally, a finer grain permission could be used.
> Recommending this to users seems wrong.
>
> According proc.5 man page.
>
>
> /proc/[pid]/pagemap (since Linux 2.6.25)
> This file shows the mapping of each of the process's
> virtual pages into physical page frames or swap area.
> ...
> Permission to access this file is governed by a ptrace
> access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> Which distro is this? What security module are you using.
> For example, on Debian (kernel 5.17) running as non-root it is possible to read pagemap.
I tested on fedora (but also on Rocky8 older kernel): uname -a
Linux localhost.localdomain 6.0.17-200.fc36.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Jan 4 16:00:03 UTC 2023 x86_64 x86_64 x86_64
GNU/Linux
It can be shown by running the 'pagemap.c' demo code from
https://bugs.centos.org/view.php?id=17176 which hinted me to adding
DAC_OVERRIDE.
The strange thing is that running it without any capabilities allows
you to read the file but give the leading zeros, upon adding
cap_ipc_lock,cap_sys_admin you get a read error and only adding
cap_dac_override lets it run successfully.
next prev parent reply other threads:[~2023-01-15 6:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-14 22:58 Dmitry Kozlyuk
2023-01-15 2:27 ` Stephen Hemminger
2023-01-15 6:20 ` Isaac Boukris [this message]
2023-01-15 12:46 ` Dmitry Kozlyuk
2023-01-15 13:30 ` Isaac Boukris
2023-01-19 21:24 Dmitry Kozlyuk
2023-03-28 19:19 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAC-fF8RmL+sYTcRWpdUcnkgFLZf4Q_47Yb9DwZH-v+GY6ULPGA@mail.gmail.com \
--to=iboukris@gmail.com \
--cc=borisusun@gmail.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=dmitry.kozliuk@gmail.com \
--cc=stable@dpdk.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).