Merge pull request #10694 from jjhursey/cma-check-cap-sys-ptrace

jjhursey · web-flow · commit d9d5c548a843 · 2022-08-24T10:31:48.000-05:00
smsc/cma: Add a check for CAP_SYS_PTRACE between processes
diff --git a/config/opal_check_cma.m4 b/config/opal_check_cma.m4
@@ -4,7 +4,7 @@
 #                         of Tennessee Research Foundation.  All rights
 #                         reserved.
 # Copyright (c) 2009-2016 Cisco Systems, Inc.  All rights reserved.
-# Copyright (c) 2010-2012 IBM Corporation.  All rights reserved.
+# Copyright (c) 2010-2022 IBM Corporation.  All rights reserved.
 # Copyright (c) 2013-2016 Los Alamos National Security, LLC. All rights
 #                         reserved.
 # Copyright (c) 2022      Amazon.com, Inc. or its affiliates.  All Rights reserved.
@@ -130,6 +130,25 @@ static void do_check (pid_t pid, int *in, int *out)
 
     OPAL_VAR_SCOPE_POP
 
+    # Testing CAP_SYS_PTRACE between two processes with kcmp
+    AC_CHECK_HEADERS([linux/kcmp.h])
+    AC_CHECK_HEADERS([sys/syscall.h])
+    AC_MSG_CHECKING([if kcmp works])
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <linux/kcmp.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+                                       ]], [[
+syscall(SYS_kcmp, 123, 456, KCMP_VM, 0, 0);
+                                           ]])],
+                      [AC_MSG_RESULT([yes])
+                       opal_check_cma_kcmp_happy=1],
+                      [AC_MSG_RESULT([no])
+                       opal_check_cma_kcmp_happy=0])
+    AC_DEFINE_UNQUOTED([OPAL_CMA_KCMP_AVAIL],
+                       [$opal_check_cma_kcmp_happy],
+                       [If kcmp is available])
+
     AS_IF([test $opal_check_cma_happy -eq 1],
           [opal_check_cma_msg=yes],
           [opal_check_cma_msg=no])
diff --git a/opal/mca/smsc/cma/smsc_cma_module.c b/opal/mca/smsc/cma/smsc_cma_module.c
@@ -8,6 +8,7 @@
  *                         of Tennessee Research Foundation.  All rights
  *                         reserved.
  * Copyright (c) 2021      Google, Inc. All rights reserved.
+ * Copyright (c) 2022      IBM Corporation.  All rights reserved.
  * $COPYRIGHT$
  *
  * Additional copyrights may follow
@@ -20,6 +21,13 @@
 #include "opal/mca/smsc/base/base.h"
 #include "opal/mca/smsc/cma/smsc_cma_internal.h"
 
+#if HAVE_LINUX_KCMP_H
+#    include <linux/kcmp.h>       /* kcmp: Definition of KCMP_* constants */
+#endif /* HAVE_LINUX_KCMP_H */
+#if HAVE_SYS_SYSCALL_H
+#    include <sys/syscall.h>      /* kcmp: Definition of SYS_* constants */
+#endif /* HAVE_SYS_SYSCALL_H */
+
 #if OPAL_CMA_NEED_SYSCALL_DEFS
 #    include "opal/sys/cma.h"
 #else
@@ -58,6 +66,26 @@ mca_smsc_endpoint_t *mca_smsc_cma_get_endpoint(opal_proc_t *peer_proc)
         return NULL;
     }
 
+#if OPAL_CMA_KCMP_AVAIL
+    /* Check if CAP_SYS_PTRACE capability is allowed between these two processes
+     * Calling process_vm_readv/writev requires CAP_SYS_PTRACE. We can use kcmp
+     * to check if these two processes share a kernel resource. Since kcmp
+     * also requires CAP_SYS_PTRACE it is a good proxy for process_vm_readv/writev.
+     */
+    rc = syscall(SYS_kcmp, getpid(), modex->pid, KCMP_VM, 0, 0);
+    if(rc < 0) {
+        opal_output_verbose(MCA_BASE_VERBOSE_ERROR, opal_smsc_base_framework.framework_output,
+                            "mca_smsc_cma_module_get_endpoint: can not proceed. processes do not have "
+                            "the necessary permissions (i.e., CAP_SYS_PTRACE). "
+                            "PID %d <-> %d (rc = %d) (errno: %d: %s)",
+                            getpid(), modex->pid, rc, errno, strerror(errno));
+        /* can't use CMA with this peer */
+        OBJ_RELEASE(endpoint);
+        free(modex);
+        return NULL;
+    }
+#endif /* OPAL_CMA_KCMP_AVAIL */
+
     endpoint->pid = modex->pid;
     return &endpoint->super;
 }
