From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BC933423DC; Sun, 15 Jan 2023 07:20:53 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3949B410FB; Sun, 15 Jan 2023 07:20:53 +0100 (CET) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mails.dpdk.org (Postfix) with ESMTP id E7B0640042; Sun, 15 Jan 2023 07:20:51 +0100 (CET) Received: by mail-lf1-f44.google.com with SMTP id cf42so38682738lfb.1; Sat, 14 Jan 2023 22:20:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1THWP/yZg6iSuLFcLH2EIyNlq0efzfhM2lL2EUQ0P3w=; b=YvfgIO78Y1BxeSYKDL1JVVcd2RU68AhUNu2PFg+HDv3rn4dQl+sWim9gRDEEu4wc9s vPEXoy0wJPYcWuAxVirGVn5QhgQAN4wXz4OEscLIsuH7c+VdOfUMfDgYgJO6A+QEtnQi ftrmy6RwG0RBqTMcilcZ1tEficaA8H7hDd9kxUocfOqK6yB6O757oKMyBG/3AcWFqdd4 emASHHGbLGmxV13PWfCHL3TSZcKg5Gj86cqD9GLbLtDbaE8lTv+J0nGEOeuwx1v1b+eG EKCMxErwmxhBIZsX4TWj+YR73/r6VNcvcFpUwOkv+gbtWSEewhmmG7QjSXEAu9NCi2x0 ZPRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1THWP/yZg6iSuLFcLH2EIyNlq0efzfhM2lL2EUQ0P3w=; b=cACLLpb6tvbqx90HIMmyOwBH5FU+FQx/gZj/ZarrFvo4vdmbl6fJdmRhvjHU78Ynso vDDCI/fgJ3uM3YraKsCrK19yAt0pcvlvXcuIeB60UWi6TIPG1jmckAEBSpwZMogO0dCB ELN1eCa1TFqk9oRWltJo4DfbaXvuG8ts27+IoQ0fUhuHvpbEkHjJ5HoHsPHS2AX6/cn2 O9oHMUV1J8G+qB32tLv2oOxW6X54g4oekYTSPW8FWq/3nrpUqfT38uKXehYEr9f5h1X+ 372YpuDshJjfJErftjO7yySLubD/DlLQeWVa7RaTVJf+lhuQUsUQFTzOtiHkN5/yybbU Iwvg== X-Gm-Message-State: AFqh2krBt4Fqt1FUst64+yJkTymEQDbwHInjq9UKEkvXh+WJfnfgS6oF MxQfGGiigpgttu8rw8szQ9DZFtu75677VZu+dd0= X-Google-Smtp-Source: AMrXdXvnxZv3DTCnYd2HZMZOhW8nsam/gtizqCvTojiWIudqi21jdoV0tgw1nUQVAQdXoDqXqyegfMDU7hGTyd+cTzU= X-Received: by 2002:ac2:41da:0:b0:4b4:af05:4a8d with SMTP id d26-20020ac241da000000b004b4af054a8dmr3868921lfi.415.1673763651190; Sat, 14 Jan 2023 22:20:51 -0800 (PST) MIME-Version: 1.0 References: <20230114225802.136625-1-dmitry.kozliuk@gmail.com> <20230114182752.0fa60bf7@hermes.local> In-Reply-To: <20230114182752.0fa60bf7@hermes.local> From: Isaac Boukris Date: Sun, 15 Jan 2023 08:20:39 +0200 Message-ID: Subject: Re: [PATCH] doc: add capability to access physical addresses To: Stephen Hemminger Cc: Dmitry Kozlyuk , dev@dpdk.org, stable@dpdk.org, Boris Ouretskey , Bruce Richardson Content-Type: text/plain; charset="UTF-8" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On Sun, Jan 15, 2023 at 4:27 AM Stephen Hemminger wrote: > > On Sun, 15 Jan 2023 01:58:02 +0300 > Dmitry Kozlyuk wrote: > > > CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap, > > but it was missing from the Linux guide, causing issues for users. > > > > Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root") > > Cc: stable@dpdk.org > > > > Signed-off-by: Dmitry Kozlyuk > > Reported-by: Boris Ouretskey > > Reported-by: Isaac Boukris > > DAC_OVERRIDE is like having the master key. It opens all doors > and if so, running as non-root really doesn't matter that much. The cap_sys_admin also seems heavy but I guessed it is still better than full root. > Ideally, a finer grain permission could be used. > Recommending this to users seems wrong. > > According proc.5 man page. > > > /proc/[pid]/pagemap (since Linux 2.6.25) > This file shows the mapping of each of the process's > virtual pages into physical page frames or swap area. > ... > Permission to access this file is governed by a ptrace > access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). > > Which distro is this? What security module are you using. > For example, on Debian (kernel 5.17) running as non-root it is possible to read pagemap. I tested on fedora (but also on Rocky8 older kernel): uname -a Linux localhost.localdomain 6.0.17-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 4 16:00:03 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux It can be shown by running the 'pagemap.c' demo code from https://bugs.centos.org/view.php?id=17176 which hinted me to adding DAC_OVERRIDE. The strange thing is that running it without any capabilities allows you to read the file but give the leading zeros, upon adding cap_ipc_lock,cap_sys_admin you get a read error and only adding cap_dac_override lets it run successfully.