[PATCH] doc: add capability to access physical addresses

Stephen Hemminger stephen at networkplumber.org
Sun Jan 15 03:27:52 CET 2023

Previous message (by thread): [PATCH] doc: add capability to access physical addresses
Next message (by thread): [PATCH] doc: add capability to access physical addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 15 Jan 2023 01:58:02 +0300
Dmitry Kozlyuk <dmitry.kozliuk at gmail.com> wrote:

> CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap,
> but it was missing from the Linux guide, causing issues for users.
> 
> Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk at gmail.com>
> Reported-by: Boris Ouretskey <borisusun at gmail.com>
> Reported-by: Isaac Boukris <iboukris at gmail.com>

DAC_OVERRIDE is like having the master key. It opens all doors
and if so, running as non-root really doesn't matter that much.

Ideally, a finer grain permission could be used.
Recommending this to users seems wrong.

According proc.5 man page.

       /proc/[pid]/pagemap (since Linux 2.6.25)
              This file shows the mapping of each of the process's
              virtual pages into physical page frames or swap area.
...
              Permission to access this file is governed by a ptrace
              access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).

Which distro is this? What security module are you using.
For example, on Debian (kernel 5.17) running as non-root it is possible to read pagemap.

Previous message (by thread): [PATCH] doc: add capability to access physical addresses
Next message (by thread): [PATCH] doc: add capability to access physical addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list