diff mbox series

[01/26] ptrace: export ptrace_may_access

Message ID 20241209133318.1806472-2-mika.kuoppala@linux.intel.com (mailing list archive)
State New, archived
Headers show
Series Intel Xe GPU debug support (eudebug) v3 | expand

Commit Message

Mika Kuoppala Dec. 9, 2024, 1:32 p.m. UTC 
xe driver would like to allow fine grained access control
for GDB debugger using ptrace. Without this export, the only
option would be to check for CAP_SYS_ADMIN.

The check intended for an ioctl to attach a GPU debugger
is similar to the ptrace use case: allow a calling process
to manipulate a target process if it has the necessary
capabilities or the same permissions, as described in
Documentation/process/adding-syscalls.rst.

Export ptrace_may_access function to allow GPU debugger to
have identical access control for debugger(s)
as a CPU debugger.

v2: proper commit message (Lucas)

Cc: Oleg Nesterov <oleg@redhat.com>
Cc: linux-kernel@vger.kernel.org
Cc: Dave Airlie <airlied@redhat.com>
CC: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
CC: Andi Shyti <andi.shyti@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
CC: Maciej Patelczyk <maciej.patelczyk@linux.intel.com>
Cc: Dominik Grzegorzek <dominik.grzegorzek@intel.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Signed-off-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
---
 kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Joonas Lahtinen Dec. 12, 2024, 9:16 a.m. UTC | #1 
Quoting Christoph Hellwig (2024-12-10 06:29:38)
> On Mon, Dec 09, 2024 at 03:32:52PM +0200, Mika Kuoppala wrote:
> > xe driver would like to allow fine grained access control
> > for GDB debugger using ptrace. Without this export, the only
> > option would be to check for CAP_SYS_ADMIN.
> > 
> > The check intended for an ioctl to attach a GPU debugger
> > is similar to the ptrace use case: allow a calling process
> > to manipulate a target process if it has the necessary
> > capabilities or the same permissions, as described in
> > Documentation/process/adding-syscalls.rst.
> > 
> > Export ptrace_may_access function to allow GPU debugger to
> > have identical access control for debugger(s)
> > as a CPU debugger.
> 
> This seems to mis an actual user or you forgot to Cc linux-kernel on it.

Right, that is a miss on our side. For the time being, the whole series
can be found in lore archive:

https://lore.kernel.org/dri-devel/20241209133318.1806472-1-mika.kuoppala@linux.intel.com/

The user is introduced in patch: [PATCH 03/26] drm/xe/eudebug: Introduce discovery for resources [1]

Essentially, we want to check if PID1 has permission to ptrace PID2, before we grant the
permission for PID1 to debug the GPU address space/memory of PID2.

Mika, please do Cc the relevant other patches of the series to LKML for next iteration.

Regards, Joonas

[1] https://lore.kernel.org/dri-devel/20241209133318.1806472-1-mika.kuoppala@linux.intel.com/T/#md3d005faaaac1ba01451b139a634e5545c2a266f
diff mbox series

Patch

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index d5f89f9ef29f..86be1805ebd8 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -354,6 +354,7 @@  bool ptrace_may_access(struct task_struct *task, unsigned int mode)
 	task_unlock(task);
 	return !err;
 }
+EXPORT_SYMBOL_GPL(ptrace_may_access);
 
 static int check_ptrace_options(unsigned long data)
 {