Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1198784imm; Fri, 28 Sep 2018 13:54:55 -0700 (PDT) X-Google-Smtp-Source: ACcGV61ajq49u4dQaBKaV2byGDoN5B8Ex17Yq5e8/2juXj88JYsEz/9+MRczp1JULaqok0FB/OOr X-Received: by 2002:a63:3507:: with SMTP id c7-v6mr305657pga.158.1538168095807; Fri, 28 Sep 2018 13:54:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538168095; cv=none; d=google.com; s=arc-20160816; b=sstS6Uvib4OBIEMwX9ZRclkRrIsxZf6SWFDeQUZzuaAxgaxzWFYssEuQvhYwz9oLqF 8il+k/vdYr7pT7c18LfccCoA/LgwdyzUTBKanEnKQ41rraG/NJibRO6wbgfKCbkk9JXB GqKWztGFKvkdCXKAOz98E6RTEn3tPFqTbCihFsXlEHpl6STuzUrRWy8edfqZUJ+y+xPR WgLRRtW8EK+LYtZp+zoz/3euNYkCJFW3SXjS1n+32cQa3UtolL8Rx/b0NHTM2d9BWHPl 5EhWc30obZrszkUvo7HjzR+J8fzaNlL5/LgrSnWwpmsmjx4esonO7rJycjqSh6qPFF9R G1lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=iFY6aqOxx6i+K5Q/DjbhTXWf4HP8ZHwThzBzWHhx/d0=; b=oi+ajbJlvUf0T3JBIwzk/uWDH+xdhGzURHZtCSocX5namfGnJZ/DgasL1txTJ+CrgN YIGaGUNaQeIApW4bw8ZfkIsfh3t4L/UJj+HCFU5V5bqRB5Wv8m8zPS2ReIVOrhVMfKMi ClTrXIo7+2sXLYu5T4Rr66Yo6o5u6NfAf2PzrR98pf2o3EXI1TDzSUMdM05OppQjj9R3 o4TB2GRbpyu2V02nISHuT1RWUIzn6ekuUYqz4D46cBf2qvJyz755bK9wilTZPfVVfZ3Z zepLXI4a8a72e+9TUmjcP/6CR98xfozrnYdLQ9u2VeldStjyDpyf+ofX1sTjCzzSfW4A wsxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=b4dOyw8j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d16-v6si5572893pfe.267.2018.09.28.13.54.40; Fri, 28 Sep 2018 13:54:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=b4dOyw8j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727206AbeI2DUC (ORCPT + 99 others); Fri, 28 Sep 2018 23:20:02 -0400 Received: from mail-ot1-f51.google.com ([209.85.210.51]:38509 "EHLO mail-ot1-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726789AbeI2DUC (ORCPT ); Fri, 28 Sep 2018 23:20:02 -0400 Received: by mail-ot1-f51.google.com with SMTP id h15-v6so7333546otj.5 for ; Fri, 28 Sep 2018 13:54:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iFY6aqOxx6i+K5Q/DjbhTXWf4HP8ZHwThzBzWHhx/d0=; b=b4dOyw8jLewPsNG9T8BzlZwg6RN6VEHzrA8MLbj+p/pTVbyLCXcaRpRSCN4EyqJ5G9 A+Vgj+ItK29D0xl/04AUR5IFVl7JgdbOznxJAxOnsqkKY72F2oPNjdumIt+XNov0mbAV CVTHHbHQ3lDJBpdhu/WvgxMwYCXqYT+lKFRTc5Ax6IxYC+xdl/DOVJrXtNpzKq+fE+3K r+tLLUguscdBOaoU/cmipv0jbEXL+El5uONnMzKSMSZwfLxIzfd+enm8GGoMSr5gOuwZ QWNZ6yPQY22rWCDOLHsxMPw9WSaAzoTBlF55pe2Z3xy80emVVadQ4xzZANw/ZXy0Q9IF 7X7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iFY6aqOxx6i+K5Q/DjbhTXWf4HP8ZHwThzBzWHhx/d0=; b=qGjTEW3SkBk2FRfWhJPiqzHsRKmEG+DKqUQgiE/ekITjS4n3Y/ogZeGQFoe0ulrwod ADbHboOM9VgOnRhthQ00ErQyMnSGYedt8YDcG7RZWHJmaXtgoJVclbh/QAtSb3f8p0pA 7Nyv3G5E2ccXEhIzw5qyQAX+OTiKKxXqcW19tij4tcycBcdIW3OsdJRgE8qKUe5k52ii 2x8UGg44s6Iu+ytRdo2NZ+LV0NU1NyYQaLdi0CuhN0xd+8nTIuFuY+JjVKlzM6VOfETD 0MTPcVvvwUqa3QNGyWDq+rQxQ6GBEhDFGFT8LI3GpeeEzlJMVG8EYgxS3nt4X2NUdHwS bjxA== X-Gm-Message-State: ABuFfoj7+yv1c2PsDm4wcCyfkT9FbSlfjoSJG+7ancu7jNuMdVUUA009 d7CYBeBRT4iNpDezCLLoUm0jCWPmG8LEq43uzfVZ9A== X-Received: by 2002:a9d:4716:: with SMTP id a22-v6mr245736otf.242.1538168072259; Fri, 28 Sep 2018 13:54:32 -0700 (PDT) MIME-Version: 1.0 References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com> <20180928164111.i6nba2j6mnegwslw@lakrids.cambridge.arm.com> <20180928172340.GA32651@tassilo.jf.intel.com> <20180928174016.i7d24puv7y3jwzf6@lakrids.cambridge.arm.com> <20180928204930.GC32651@tassilo.jf.intel.com> In-Reply-To: <20180928204930.GC32651@tassilo.jf.intel.com> From: Jann Horn Date: Fri, 28 Sep 2018 22:54:05 +0200 Message-ID: Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting) To: Andi Kleen Cc: Mark Rutland , Thomas Gleixner , tursulin@ursulin.net, kernel list , tvrtko.ursulin@linux.intel.com, Peter Zijlstra , "the arch/x86 maintainers" , "H . Peter Anvin" , acme@kernel.org, alexander.shishkin@linux.intel.com, jolsa@redhat.com, namhyung@kernel.org, maddy@linux.vnet.ibm.com, alexey.budankov@linux.intel.com, Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 28, 2018 at 10:49 PM Andi Kleen wrote: > > On Fri, Sep 28, 2018 at 06:40:17PM +0100, Mark Rutland wrote: > > On Fri, Sep 28, 2018 at 10:23:40AM -0700, Andi Kleen wrote: > > > > There's also been prior discussion on these feature in other contexts > > > > (e.g. android expoits resulting from out-of-tree drivers). It would be > > > > nice to see those considered. > > > > > > > > IIRC The conclusion from prior discussions (e.g. [1]) was that we wanted > > > > finer granularity of control such that we could limit PMU access to > > > > specific users -- e.g. disallow arbitrary android apps from poking *any* > > > > PMU, while allowing some more trusted apps/users to uses *some* specific > > > > PMUs. > > > > > > > > e.g. we could add /sys/bus/event_source/devices/${PMU}/device, protect > > > > this via the usual fs ACLs, and pass the fd to perf_event_open() > > > > somehow. A valid fd would act as a capability, taking precedence over > > > > perf_event_paranoid. > > > > > > That sounds like an orthogonal feature. I don't think the original > > > patchkit would need to be hold up for this. It would be something > > > in addition. > > > > I have to say that I disagree -- these controls will have to interact > > somehow, and the fewer of them we have, the less complexity we'll have > > to deal with longer-term. > > You're proposing to completely redesign perf_event_open. And I think it would be a very good redesign. :) I love things that use file descriptors to represent capabilities. > This new file descriptor argument doesn't exist today so it would > need to create a new system call with more arguments Is that true? The first argument is a pointer to a struct that contains its own size, so it can be expanded without an ABI break. I don't see any reason why you couldn't cram more stuff in there. > (and BTW it would be more than the normal 6 argument limit > we have, so actually it couldn't even be a standard sycall) > > Obviously we would need to keep the old system call around > for compability, so you would need to worry about this > interaction in any case! > > So tying it together doesn't make any sense, because > the problem has to be solved separately anyways. > > > > > > BTW can't you already do that with the syscall filter? I assume > > > the Android sandboxes already use that. Just forbid perf_event_open > > > for the apps. > > > > Note that this was about providing access to *some* PMUs in some cases. > > > > IIUC, if that can be done today via a syscall filter, the same is true > > of per-pmu paranoid settings. > > The difference is that the Android sandboxes likely already doing this > and have all the infrastructure, and it's just another rule. > > Requiring syscall filters just to use the PMU on xn system > that otherwise doesn't need them would be very odd. > > -Andi