Set ptracer permissions for IPC handle creation

PatKamin · PatKamin · commit 009e1f1490e8 · 2025-01-07T08:52:26.000+01:00
Co-authored-by: sergey.vinogradov@intel.com
diff --git a/.github/workflows/reusable_basic.yml b/.github/workflows/reusable_basic.yml
@@ -147,9 +147,6 @@ jobs:
     - name: Install libhwloc
       run: .github/scripts/install_hwloc.sh
 
-    - name: Set ptrace value for IPC test
-      run: sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-
     - name: Configure build
       run: >
         ${{ matrix.compiler.cxx == 'icpx' && '. /opt/intel/oneapi/setvars.sh &&' || ''}} 
diff --git a/.github/workflows/reusable_fast.yml b/.github/workflows/reusable_fast.yml
@@ -88,10 +88,6 @@ jobs:
         sudo apt-get install -y cmake libnuma-dev libtbb-dev
         .github/scripts/install_hwloc.sh # install hwloc-2.3.0 instead of hwloc-2.1.0 present in the OS package
 
-    - name: Set ptrace value for IPC test (on Linux only)
-      if: ${{ matrix.os == 'ubuntu-latest' || matrix.os == 'ubuntu-20.04' }}
-      run: sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-
     - name: Configure CMake
       if: matrix.simple_cmake == 'OFF'
       run: >
diff --git a/.github/workflows/reusable_proxy_lib.yml b/.github/workflows/reusable_proxy_lib.yml
@@ -34,9 +34,6 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y cmake libhwloc-dev libtbb-dev lcov
 
-      - name: Set ptrace value for IPC test
-        run: sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-
       - name: Configure build
         run: >
           cmake
diff --git a/.github/workflows/reusable_sanitizers.yml b/.github/workflows/reusable_sanitizers.yml
@@ -40,10 +40,6 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y intel-oneapi-ippcp-devel intel-oneapi-ipp-devel intel-oneapi-common-oneapi-vars intel-oneapi-compiler-dpcpp-cpp
 
-
-    - name: Set ptrace value for IPC test
-      run: sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-
     - name: Configure build
       run: >
         ${{ matrix.compiler.cxx == 'icpx' && '. /opt/intel/oneapi/setvars.sh &&' || ''}} 
diff --git a/README.md b/README.md
@@ -155,12 +155,7 @@ IPC API requires the `UMF_MEM_MAP_SHARED` memory `visibility` mode
 IPC API uses the file descriptor duplication. It requires using `pidfd_getfd(2)` to obtain
 a duplicate of another process's file descriptor (`pidfd_getfd(2)` is supported since Linux 5.6).
 Permission to duplicate another process's file descriptor is governed by a ptrace access mode
-`PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`) that can be changed using
-the `/proc/sys/kernel/yama/ptrace_scope` interface in the following way:
-
-```sh
-$ sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-```
+`PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`). UMF calls `prctl()` to allow the UMF process to be ptraced by other processes.
 
 There are available two mechanisms for the shared memory mapping:
 1) a named shared memory object (used if the `shm_name` parameter is not NULL) or
@@ -187,12 +182,7 @@ A memory provider that provides memory from L0 device.
 IPC API uses the file descriptor duplication. It requires using `pidfd_getfd(2)` to obtain
 a duplicate of another process's file descriptor (`pidfd_getfd(2)` is supported since Linux 5.6).
 Permission to duplicate another process's file descriptor is governed by a ptrace access mode
-`PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`) that can be changed using
-the `/proc/sys/kernel/yama/ptrace_scope` interface in the following way:
-
-```sh
-$ sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
-```
+`PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`). UMF calls `prctl()` to allow the UMF process to be ptraced by other processes.
 
 ##### Requirements
 
@@ -345,7 +335,7 @@ The memory used by the proxy memory allocator is mmap'ed:
 1) with the `MAP_PRIVATE` flag by default or
 2) with the `MAP_SHARED` flag if the `UMF_PROXY` environment variable contains one of two following strings: `page.disposition=shared-shm` or `page.disposition=shared-fd`. These two options differ in a mechanism used during IPC:
    - `page.disposition=shared-shm` - IPC uses the named shared memory. An SHM name is generated using the `umf_proxy_lib_shm_pid_$PID` pattern, where `$PID` is the PID of the process. It creates the `/dev/shm/umf_proxy_lib_shm_pid_$PID` file.
-   - `page.disposition=shared-fd` - IPC uses the file descriptor duplication. It requires using `pidfd_getfd(2)` to obtain a duplicate of another process's file descriptor. Permission to duplicate another process's file descriptor is governed by a ptrace access mode `PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`) that can be changed using the `/proc/sys/kernel/yama/ptrace_scope` interface. `pidfd_getfd(2)` is supported since Linux 5.6.
+   - `page.disposition=shared-fd` - IPC uses the file descriptor duplication. It requires using `pidfd_getfd(2)` to obtain a duplicate of another process's file descriptor. Permission to duplicate another process's file descriptor is governed by a ptrace access mode `PTRACE_MODE_ATTACH_REALCREDS` check (see `ptrace(2)`). UMF calls `prctl()` to allow the UMF process to be ptraced by other processes. `pidfd_getfd(2)` is supported since Linux 5.6.
 
 **Size threshold**
 
diff --git a/examples/ipc_ipcapi/ipc_ipcapi_anon_fd.sh b/examples/ipc_ipcapi/ipc_ipcapi_anon_fd.sh
@@ -12,21 +12,6 @@ set -e
 # port should be a number from the range <1024, 65535>
 PORT=$(( 1024 + ( $$ % ( 65535 - 1024 ))))
 
-# The ipc_ipcapi_anon_fd example requires using pidfd_getfd(2)
-# to obtain a duplicate of another process's file descriptor.
-# Permission to duplicate another process's file descriptor
-# is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check (see ptrace(2))
-# that can be changed using the /proc/sys/kernel/yama/ptrace_scope interface.
-PTRACE_SCOPE_FILE="/proc/sys/kernel/yama/ptrace_scope"
-VAL=0
-if [ -f $PTRACE_SCOPE_FILE ]; then
-	PTRACE_SCOPE_VAL=$(cat $PTRACE_SCOPE_FILE)
-	if [ $PTRACE_SCOPE_VAL -ne $VAL ]; then
-		echo "SKIP: ptrace_scope is not set to 0 (classic ptrace permissions) - skipping the test"
-		exit 125 # skip code defined in CMakeLists.txt
-	fi
-fi
-
 UMF_LOG_VAL="level:debug;flush:debug;output:stderr;pid:yes"
 
 echo "Starting ipc_ipcapi_anon_fd CONSUMER on port $PORT ..."
diff --git a/scripts/qemu/run-tests.sh b/scripts/qemu/run-tests.sh
@@ -23,8 +23,6 @@ UMF_DIR=$(pwd)
 # Drop caches, restores free memory on NUMA nodes
 echo password | sudo sync;
 echo password | sudo sh -c "/usr/bin/echo 3 > /proc/sys/vm/drop_caches"
-# Set ptrace value for IPC test
-echo password | sudo bash -c "echo 0 > /proc/sys/kernel/yama/ptrace_scope"
 
 numactl -H
 
diff --git a/src/libumf.c b/src/libumf.c
@@ -8,6 +8,12 @@
  */
 
 #include <stddef.h>
+#ifdef __linux__
+#include <errno.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#endif
 
 #include "base_alloc_global.h"
 #include "ipc_cache.h"
@@ -34,6 +40,24 @@ int umfInit(void) {
 
         LOG_DEBUG("UMF tracker created");
 
+#ifdef __linux__
+        // The prctl() function with PR_SET_PTRACER is used here to allow other processes to ptrace
+        // the current process. This is necessary because UMF's memory providers on Linux (except CUDA)
+        // use the pidfd_getfd(2) system call to duplicate another process's file descriptor, which is
+        // governed by ptrace permissions. By default, on Ubuntu, /proc/sys/kernel/yama/ptrace_scope is
+        // set to 1 ("restricted ptrace"), which prevents pidfd_getfd from working unless ptrace_scope
+        // is set to 0. To overcome this limitation without requiring users to change the ptrace_scope
+        // setting, we use prctl(PR_SET_PTRACER, pid) to allow the process that creates the IPC handle
+        // to be ptraced by other processes, even when ptrace_scope is 1.
+        int res = prctl(PR_SET_PTRACER, getppid());
+        if (res != 0) {
+            LOG_ERR("Failed to set ptracer permissions for IPC use");
+            LOG_ERR("prctl() returned errno %d (%s)", errno, strerror(errno));
+            return -1;
+        }
+        LOG_DEBUG("Ptracer permissions set for IPC use");
+#endif
+
         umf_result_t umf_result = umfIpcCacheGlobalInit();
         if (umf_result != UMF_RESULT_SUCCESS) {
             LOG_ERR("Failed to initialize IPC cache");
diff --git a/src/utils/utils_posix_common.c b/src/utils/utils_posix_common.c
@@ -91,9 +91,6 @@ umf_result_t utils_duplicate_fd(int pid, int fd_in, int *fd_out) {
     return UMF_RESULT_ERROR_NOT_SUPPORTED;
 #else
     // pidfd_getfd(2) is used to obtain a duplicate of another process's file descriptor.
-    // Permission to duplicate another process's file descriptor
-    // is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check (see ptrace(2))
-    // that can be changed using the /proc/sys/kernel/yama/ptrace_scope interface.
     // pidfd_getfd(2) is supported since Linux 5.6
     // pidfd_open(2) is supported since Linux 5.3
     errno = 0;
diff --git a/test/ipc_os_prov_anon_fd.sh b/test/ipc_os_prov_anon_fd.sh
@@ -12,21 +12,6 @@ set -e
 # port should be a number from the range <1024, 65535>
 PORT=$(( 1024 + ( $$ % ( 65535 - 1024 ))))
 
-# The ipc_os_prov_anon_fd example requires using pidfd_getfd(2)
-# to obtain a duplicate of another process's file descriptor.
-# Permission to duplicate another process's file descriptor
-# is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check (see ptrace(2))
-# that can be changed using the /proc/sys/kernel/yama/ptrace_scope interface.
-PTRACE_SCOPE_FILE="/proc/sys/kernel/yama/ptrace_scope"
-VAL=0
-if [ -f $PTRACE_SCOPE_FILE ]; then
-	PTRACE_SCOPE_VAL=$(cat $PTRACE_SCOPE_FILE)
-	if [ $PTRACE_SCOPE_VAL -ne $VAL ]; then
-		echo "SKIP: ptrace_scope is not set to 0 (classic ptrace permissions) - skipping the test"
-		exit 125 # skip code defined in CMakeLists.txt
-	fi
-fi
-
 UMF_LOG_VAL="level:debug;flush:debug;output:stderr;pid:yes"
 
 echo "Starting ipc_os_prov_anon_fd CONSUMER on port $PORT ..."
diff --git a/test/providers/ipc_level_zero_prov.sh b/test/providers/ipc_level_zero_prov.sh
@@ -12,21 +12,6 @@ set -e
 # port should be a number from the range <1024, 65535>
 PORT=$(( 1024 + ( $$ % ( 65535 - 1024 ))))
 
-# The ipc_level_zero_prov test requires using pidfd_getfd(2)
-# to obtain a duplicate of another process's file descriptor.
-# Permission to duplicate another process's file descriptor
-# is governed by a ptrace access mode PTRACE_MODE_ATTACH_REALCREDS check (see ptrace(2))
-# that can be changed using the /proc/sys/kernel/yama/ptrace_scope interface.
-PTRACE_SCOPE_FILE="/proc/sys/kernel/yama/ptrace_scope"
-VAL=0
-if [ -f $PTRACE_SCOPE_FILE ]; then
-	PTRACE_SCOPE_VAL=$(cat $PTRACE_SCOPE_FILE)
-	if [ $PTRACE_SCOPE_VAL -ne $VAL ]; then
-		echo "SKIP: ptrace_scope is not set to 0 (classic ptrace permissions) - skipping the test"
-		exit 125 # skip code defined in CMakeLists.txt
-	fi
-fi
-
 UMF_LOG_VAL="level:debug;flush:debug;output:stderr;pid:yes"
 
 echo "Starting ipc_level_zero_prov CONSUMER on port $PORT ..."
