• Calvin Owens's avatar
    procfs: always expose /proc/<pid>/map_files/ and make it readable · bdb4d100
    Calvin Owens authored
    Currently, /proc/<pid>/map_files/ is restricted to CAP_SYS_ADMIN, and is
    only exposed if CONFIG_CHECKPOINT_RESTORE is set.
    
    Each mapped file region gets a symlink in /proc/<pid>/map_files/
    corresponding to the virtual address range at which it is mapped.  The
    symlinks work like the symlinks in /proc/<pid>/fd/, so you can follow them
    to the backing file even if that backing file has been unlinked.
    
    Currently, files which are mapped, unlinked, and closed are impossible to
    stat() from userspace.  Exposing /proc/<pid>/map_files/ closes this
    functionality "hole".
    
    Not being able to stat() such files makes noticing and explicitly
    accounting for the space they use on the filesystem impossible.  You can
    work around this by summing up the space used by every file in the
    filesystem and subtracting that total from what statfs() tells you, but
    that obviously isn't great, and it becomes unworkable once your filesystem
    becomes large enough.
    
    This patch moves map_files/ out from behind CONFIG_CHECKPOINT_RESTORE, and
    adjusts the permissions enforced on it as follows:
    
    * proc_map_files_lookup()
    * proc_map_files_readdir()
    * map_files_d_revalidate()
    
    	Remove the CAP_SYS_ADMIN restriction, leaving only the current
    	restriction requiring PTRACE_MODE_READ. The information made
    	available to userspace by these three functions is already
    	available in /proc/PID/maps with MODE_READ, so I don't see any
    	reason to limit them any further (see below for more detail).
    
    * proc_map_files_follow_link()
    
    	This stub has been added, and requires that the user have
    	CAP_SYS_ADMIN in order to follow the links in map_files/,
    	since there was concern on LKML both about the potential for
    	bypassing permissions on ancestor directories in the path to
    	files pointed to, and about what happens with more exotic
    	memory mappings created by some drivers (ie dma-buf).
    
    In older versions of this patch, I changed every permission check in
    the four functions above to enforce MODE_ATTACH instead of MODE_READ.
    This was an oversight on my part, and after revisiting the discussion
    it seems that nobody was concerned about anything outside of what is
    made possible by ->follow_link(). So in this version, I've left the
    checks for PTRACE_MODE_READ as-is.
    
    [akpm@linux-foundation.org: catch up with concurrent proc_pid_follow_link() changes]
    Signed-off-by: default avatarCalvin Owens <calvinowens@fb.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Cyrill Gorcunov <gorcunov@openvz.org>
    Cc: Joe Perches <joe@perches.com>
    Cc: Kirill A. Shutemov <kirill@shutemov.name>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    bdb4d100
base.c 79.6 KB