[PATCH] doc: add capability to access physical addresses

Isaac Boukris iboukris at gmail.com
Sun Jan 15 07:20:39 CET 2023

Previous message (by thread): [PATCH] doc: add capability to access physical addresses
Next message (by thread): [PATCH] doc: add capability to access physical addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 15, 2023 at 4:27 AM Stephen Hemminger
<stephen at networkplumber.org> wrote:
>
> On Sun, 15 Jan 2023 01:58:02 +0300
> Dmitry Kozlyuk <dmitry.kozliuk at gmail.com> wrote:
>
> > CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap,
> > but it was missing from the Linux guide, causing issues for users.
> >
> > Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root")
> > Cc: stable at dpdk.org
> >
> > Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk at gmail.com>
> > Reported-by: Boris Ouretskey <borisusun at gmail.com>
> > Reported-by: Isaac Boukris <iboukris at gmail.com>
>
> DAC_OVERRIDE is like having the master key. It opens all doors
> and if so, running as non-root really doesn't matter that much.

The cap_sys_admin also seems heavy but I guessed it is still better
than full root.

> Ideally, a finer grain permission could be used.
> Recommending this to users seems wrong.
>
> According proc.5 man page.
>
>
>        /proc/[pid]/pagemap (since Linux 2.6.25)
>               This file shows the mapping of each of the process's
>               virtual pages into physical page frames or swap area.
> ...
>               Permission to access this file is governed by a ptrace
>               access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> Which distro is this? What security module are you using.
> For example, on Debian (kernel 5.17) running as non-root it is possible to read pagemap.

I tested on fedora (but also on Rocky8 older kernel): uname -a
Linux localhost.localdomain 6.0.17-200.fc36.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Jan 4 16:00:03 UTC 2023 x86_64 x86_64 x86_64
GNU/Linux

It can be shown by running the 'pagemap.c' demo code from
https://bugs.centos.org/view.php?id=17176 which hinted me to adding
DAC_OVERRIDE.

The strange thing is that running it without any capabilities allows
you to read the file but give the leading zeros, upon adding
cap_ipc_lock,cap_sys_admin you get a read error and only adding
cap_dac_override lets it run successfully.

Previous message (by thread): [PATCH] doc: add capability to access physical addresses
Next message (by thread): [PATCH] doc: add capability to access physical addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list