From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DEC29423DA; Sun, 15 Jan 2023 03:27:57 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 89A11410F2; Sun, 15 Jan 2023 03:27:57 +0100 (CET) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mails.dpdk.org (Postfix) with ESMTP id 2B3AB40156 for ; Sun, 15 Jan 2023 03:27:56 +0100 (CET) Received: by mail-pj1-f51.google.com with SMTP id m12-20020a17090a4d8c00b002295ca9855aso1265073pjh.2 for ; Sat, 14 Jan 2023 18:27:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=P5sARMTo6TiPew9z4kf2ZC1wMS5JNB1EB/19lsVO8Gk=; b=yZCWNfArTfSdFhLb1Z93KakLroL2vNGW4r3XtWW/b27hMTMO+FkyQ3GANS9OtlVAH+ CSAMUDAGRUf/5sv6TchU5qrl92kXCylNiknhl+fjHssY2zEBWUmoiPpiVacM9C/U0wFu pHUg5IDB72FWc5q5IhdYJ1/r5RUroo0sZw965ia5kvrjOH9P1KYzZ5q9Q7G9iaWPEWkx WBJhC+q9+Nh8IviePvRXttzI9MNCRk5LgYxTQrn8REvZfjvsBT3eaL5/0zVh6dOF+Xov Qg/sVKQFVtSeoQQzaVuJn758LT/qK/QqzazuYJb0nYVDLZnfJaYWoREjl+TTkdS+8udZ f9sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P5sARMTo6TiPew9z4kf2ZC1wMS5JNB1EB/19lsVO8Gk=; b=0bhJ/CzLEG0m4rbyojWO47YfnfAI1AlpcWmafiT0CWeGQGZCUri/3J9VY//WyME4S+ Kyu8sP7Zl6RrEgRvqI3N3+QV8SPAFg5+apqFPI4a2UhEcek+0Si3iJOQAdKPAy1eIXdD V3HM+adJWfyFmGNkhc9wBB6/4FOSuAQ9LRw0wkJsjly/H+ggHLZDjXwKbM/Rc4No50Ce HIUq2XoLrSax6nAG2wZr8xGk2ygN2h/Bv/FtqT5iXcrNfYTArRuB/5o+bkc+r0AtxS47 o4jrDXqPYMUkzmcDyIt0eoviAm5+P8OEpvVG3EV0QNJqIVUwXYuELuUd+EAgEyY+chxC es7w== X-Gm-Message-State: AFqh2kqlTiUaFCZWQJ2f05VB9UMkyVzTOMQSb+jhP/ASBscEGz3AwOCH JT0SvHh8HXte2VLUEk4TsdjZZA== X-Google-Smtp-Source: AMrXdXshSnaydal59+T5kWVJo+ashK0Pgc6ZDiNpu94jeZIOCCzcYwcfSCFUljEpj0OnFKQ4TuvZJg== X-Received: by 2002:a17:90a:19c8:b0:229:19bf:1da6 with SMTP id 8-20020a17090a19c800b0022919bf1da6mr9476844pjj.31.1673749675032; Sat, 14 Jan 2023 18:27:55 -0800 (PST) Received: from hermes.local (204-195-120-218.wavecable.com. [204.195.120.218]) by smtp.gmail.com with ESMTPSA id c4-20020a63da04000000b0047911890728sm13741090pgh.79.2023.01.14.18.27.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Jan 2023 18:27:54 -0800 (PST) Date: Sat, 14 Jan 2023 18:27:52 -0800 From: Stephen Hemminger To: Dmitry Kozlyuk Cc: dev@dpdk.org, stable@dpdk.org, Boris Ouretskey , Isaac Boukris , Bruce Richardson Subject: Re: [PATCH] doc: add capability to access physical addresses Message-ID: <20230114182752.0fa60bf7@hermes.local> In-Reply-To: <20230114225802.136625-1-dmitry.kozliuk@gmail.com> References: <20230114225802.136625-1-dmitry.kozliuk@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On Sun, 15 Jan 2023 01:58:02 +0300 Dmitry Kozlyuk wrote: > CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap, > but it was missing from the Linux guide, causing issues for users. > > Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root") > Cc: stable@dpdk.org > > Signed-off-by: Dmitry Kozlyuk > Reported-by: Boris Ouretskey > Reported-by: Isaac Boukris DAC_OVERRIDE is like having the master key. It opens all doors and if so, running as non-root really doesn't matter that much. Ideally, a finer grain permission could be used. Recommending this to users seems wrong. According proc.5 man page. /proc/[pid]/pagemap (since Linux 2.6.25) This file shows the mapping of each of the process's virtual pages into physical page frames or swap area. ... Permission to access this file is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). Which distro is this? What security module are you using. For example, on Debian (kernel 5.17) running as non-root it is possible to read pagemap.