smsc/cma: Add a check for CAP_SYS_PTRACE between processes

jjhursey · jjhursey · commit 56132aa2f417 · 2022-08-23T08:27:47.000-05:00
* If you run in an environment (e.g., container) where the `CAP_SYS_PTRACE` capability is not provided then the two processes will not be able to use `process_vm_readv`/`process_vm_writev` even if all of the other checks currently in the code pass. The result is errors when trying to call one of these two functions which is difficult for the called (i.e., `btl/sm`) to recover from. * Use the `kcmp` system call as a proxy for the `process_vm_readv`/`process_vm_writev` functions. `kcmp` is a lightweight check in the kernel and is sufficient to detect if the two processes have the necessary capabilities. * Refs * Capabilities : https://man7.org/linux/man-pages/man7/capabilities.7.html * `kcmp` : https://man7.org/linux/man-pages/man2/kcmp.2.html Signed-off-by: Joshua Hursey <jhursey@us.ibm.com>
diff --git a/config/opal_check_cma.m4 b/config/opal_check_cma.m4
@@ -4,7 +4,7 @@
 #                         of Tennessee Research Foundation.  All rights
 #                         reserved.
 # Copyright (c) 2009-2016 Cisco Systems, Inc.  All rights reserved.
-# Copyright (c) 2010-2012 IBM Corporation.  All rights reserved.
+# Copyright (c) 2010-2022 IBM Corporation.  All rights reserved.
 # Copyright (c) 2013-2016 Los Alamos National Security, LLC. All rights
 #                         reserved.
 # Copyright (c) 2022      Amazon.com, Inc. or its affiliates.  All Rights reserved.
@@ -130,6 +130,25 @@ static void do_check (pid_t pid, int *in, int *out)
 
     OPAL_VAR_SCOPE_POP
 
+    # Testing CAP_SYS_PTRACE between two processes with kcmp
+    AC_CHECK_HEADERS([linux/kcmp.h])
+    AC_CHECK_HEADERS([sys/syscall.h])
+    AC_MSG_CHECKING([if kcmp works])
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <linux/kcmp.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+                                       ]], [[
+syscall(SYS_kcmp, 123, 456, KCMP_VM, 0, 0);
+                                           ]])],
+                      [AC_MSG_RESULT([yes])
+                       opal_check_cma_kcmp_happy=1],
+                      [AC_MSG_RESULT([no])
+                       opal_check_cma_kcmp_happy=0])
+    AC_DEFINE_UNQUOTED([OPAL_CMA_KCMP_AVAIL],
+                       [$opal_check_cma_kcmp_happy],
+                       [If kcmp is available])
+
     AS_IF([test $opal_check_cma_happy -eq 1],
           [opal_check_cma_msg=yes],
           [opal_check_cma_msg=no])
diff --git a/opal/mca/smsc/cma/smsc_cma_module.c b/opal/mca/smsc/cma/smsc_cma_module.c
@@ -8,6 +8,7 @@
  *                         of Tennessee Research Foundation.  All rights
  *                         reserved.
  * Copyright (c) 2021      Google, Inc. All rights reserved.
+ * Copyright (c) 2022      IBM Corporation.  All rights reserved.
  * $COPYRIGHT$
  *
  * Additional copyrights may follow
@@ -20,6 +21,13 @@
 #include "opal/mca/smsc/base/base.h"
 #include "opal/mca/smsc/cma/smsc_cma_internal.h"
 
+#if HAVE_LINUX_KCMP_H
+#    include <linux/kcmp.h>       /* kcmp: Definition of KCMP_* constants */
+#endif /* HAVE_LINUX_KCMP_H */
+#if HAVE_SYS_SYSCALL_H
+#    include <sys/syscall.h>      /* kcmp: Definition of SYS_* constants */
+#endif /* HAVE_SYS_SYSCALL_H */
+
 #if OPAL_CMA_NEED_SYSCALL_DEFS
 #    include "opal/sys/cma.h"
 #else
@@ -58,6 +66,26 @@ mca_smsc_endpoint_t *mca_smsc_cma_get_endpoint(opal_proc_t *peer_proc)
         return NULL;
     }
 
+#if OPAL_CMA_KCMP_AVAIL
+    /* Check if CAP_SYS_PTRACE capability is allowed between these two processes
+     * Calling process_vm_readv/writev requires CAP_SYS_PTRACE. We can use kcmp
+     * to check if these two processes share a kernel resource. Since kcmp
+     * also requires CAP_SYS_PTRACE it is a good proxy for process_vm_readv/writev.
+     */
+    rc = syscall(SYS_kcmp, getpid(), modex->pid, KCMP_VM, 0, 0);
+    if(rc < 0) {
+        opal_output_verbose(MCA_BASE_VERBOSE_ERROR, opal_smsc_base_framework.framework_output,
+                            "mca_smsc_cma_module_get_endpoint: can not proceed. processes do not have "
+                            "the necessary permissions (i.e., CAP_SYS_PTRACE). "
+                            "PID %d <-> %d (rc = %d) (errno: %d: %s)",
+                            getpid(), modex->pid, rc, errno, strerror(errno));
+        /* can't use CMA with this peer */
+        OBJ_RELEASE(endpoint);
+        free(modex);
+        return NULL;
+    }
+#endif /* OPAL_CMA_KCMP_AVAIL */
+
     endpoint->pid = modex->pid;
     return &endpoint->super;
 }
