diff options
| author | Younes Manton <younes.m@gmail.com> | 2023-01-17 10:03:36 -0800 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2023-04-01 00:44:37 +0200 |
| commit | 2c90b4a7e9ceb0c6e8cb26770571a5c8166a4111 (patch) | |
| tree | c336227c3d34ce38910a5b02f251222a181639cf | |
| parent | f2a1f466093b72f9630ed8e1a406548128c09630 (diff) | |
proc.5: Fix caps needed to read map_files contents
imachug@yandex.ru testing CRIU noticed that the documentation for proc's
map_files directory with respect to CAP_CHECKPOINT_RESTORE and
namespaces appears to be wrong. The text reads:
> since Linux 5.9, the reading process must have
> either CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE in the user
> namespace where it resides.
The reporter noted that the user actually needs the capabilities in the
initial user namespace, not in the namespace the process resides in. As
far as I can tell this appears to be the case.
The text was introduced in 167f94b707148bcd46fe39c7d4ebfada9eed88f6
and refers to kernel commit 12886f8ab10ce6a09af1d92535d49c81aaa215a8.
The code and message in the kernel commit refer to the initial user
namespace.
An example program and shell session verifying the existing behaviour
follows:
$ uname -r
5.15.0-52-generic
$ ./test.sh
+ make rmf
cc rmf.c -o rmf
+ sudo setcap cap_checkpoint_restore-eip ./rmf
+ ./rmf
19582: =
Can't read map_files/ entry: Operation not permitted
+ sudo setcap cap_checkpoint_restore+eip ./rmf
+ ./rmf
19588: cap_checkpoint_restore=ep
+ unshare --user ./rmf
19591: cap_checkpoint_restore=ep
Can't read map_files/ entry: Operation not permitted
$ cat rmf.c
int main(int argc, char **argv)
{
DIR *mfd;
struct dirent *mfe;
struct stat mfstat;
int ret;
system("getpcaps $PPID");
chdir("/proc/self/map_files");
mfd = opendir(".");
do {
mfe = readdir(mfd);
} while (!strcmp(mfe->d_name, ".") || !strcmp(mfe->d_name, ".."));
if (ret = stat(mfe->d_name, &mfstat))
perror("Can't read map_files/ entry");
closedir(mfd);
return ret;
}
Signed-off-by: Younes Manton <younes.m@gmail.com>
Cc: <imachug@yandex.ru>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
| -rw-r--r-- | man5/proc.5 | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/man5/proc.5 b/man5/proc.5 index 39c7eb8ab..521402fe8 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -1268,7 +1268,7 @@ since Linux 5.9, the reading process must have either .B CAP_SYS_ADMIN or .B CAP_CHECKPOINT_RESTORE -in the user namespace where it resides. +in the initial (i.e. root) user namespace. .TP .IR /proc/ pid /maps A file containing the currently mapped memory regions and their access |