On Sun, Jan 15, 2023 at 4:27 AM Stephen Hemminger
<step...@networkplumber.org> wrote:
>
> On Sun, 15 Jan 2023 01:58:02 +0300
> Dmitry Kozlyuk <dmitry.kozl...@gmail.com> wrote:
>
> > CAP_DAC_OVERRIDE capability is required to access /proc/self/pagemap,
> > but it was missing from the Linux guide, causing issues for users.
> >
> > Fixes: 979bb5d493fb ("doc: add more instructions for running as non-root")
> > Cc: sta...@dpdk.org
> >
> > Signed-off-by: Dmitry Kozlyuk <dmitry.kozl...@gmail.com>
> > Reported-by: Boris Ouretskey <borisu...@gmail.com>
> > Reported-by: Isaac Boukris <ibouk...@gmail.com>
>
> DAC_OVERRIDE is like having the master key. It opens all doors
> and if so, running as non-root really doesn't matter that much.The cap_sys_admin also seems heavy but I guessed it is still better than full root. > Ideally, a finer grain permission could be used. > Recommending this to users seems wrong. > > According proc.5 man page. > > > /proc/[pid]/pagemap (since Linux 2.6.25) > This file shows the mapping of each of the process's > virtual pages into physical page frames or swap area. > ... > Permission to access this file is governed by a ptrace > access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). > > Which distro is this? What security module are you using. > For example, on Debian (kernel 5.17) running as non-root it is possible to > read pagemap. I tested on fedora (but also on Rocky8 older kernel): uname -a Linux localhost.localdomain 6.0.17-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 4 16:00:03 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux It can be shown by running the 'pagemap.c' demo code from https://bugs.centos.org/view.php?id=17176 which hinted me to adding DAC_OVERRIDE. The strange thing is that running it without any capabilities allows you to read the file but give the leading zeros, upon adding cap_ipc_lock,cap_sys_admin you get a read error and only adding cap_dac_override lets it run successfully.
