Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp240503imm; Mon, 1 Oct 2018 09:12:50 -0700 (PDT) X-Google-Smtp-Source: ACcGV60G5CbhOBp9wTOTocEJijY2qPUPEhxd9v0VRTSuf6/1TCdYSg3EyzvWrtMdqFG+TBxmYY4f X-Received: by 2002:a63:d109:: with SMTP id k9-v6mr11061110pgg.49.1538410370547; Mon, 01 Oct 2018 09:12:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538410370; cv=none; d=google.com; s=arc-20160816; b=kfmOPJR07sje7XgcJe4/i7S0ena8fQ1KT9D/YGnutM/EoS+hrdR2Cjh8JHtyofz/0B 2kn1CA31J52heQ03nT+pjlAZByFeCEl23j7DAxLv5HR0EXfs9T1qkZn2M//fang9Dsmb vAhmGSHpxWpyRTVy9B7CD6Be0YS9gMQno1NPlueu2Zaq/u9blrFIyYi5P3uC+vmlDyJQ bjnN8QqDpqJkPVCgZv/SNp43WZdmMHlYOnkB3bjipE3cboaJlTBvOO0AusEH20OPTwS+ 2HWoCAxcyGenZJx4OfS2ZXrPX31nm5Pj4amjeF/fPX1o1HsI0jDvTtdg8/O33lShloNR CFkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=qpv48pZ+n63v/60cWTCKzXTV8AHHHney0kXroz9os84=; b=ZvOAAhtNsH9uuigVH5Fr4rwUB2uFw3aKOAIL/AzII0ONHzPUJz7CkASlInYlmOXUNH 0JZr2bgUF6mvFhhvyBTyz2WFVMLFtNJWFQG+AW4SejyORsv0/qxTy470llg5Prpm87Bk OjZjwqAFaCE96CXay3JdbhiK+BQ6yx8YsxbBypA295a+VdE47aOOfmKM75zHCn9Vn+iG JeboQHV8zZcG5CNh/FA89iuZqeGQo5YlTsg0Z4DwDMene7mEt359x4QofF7QIi2jjmHS U7RgqG/uEMSr1IbU6lR/ACw8NuHmoHl6mpSBinXmkqfBAvBJPVeihdKKw2URZbYLC4Ft JMCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q4-v6si12719183pgj.417.2018.10.01.09.12.28; Mon, 01 Oct 2018 09:12:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726236AbeJAWul (ORCPT + 99 others); Mon, 1 Oct 2018 18:50:41 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:58050 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725777AbeJAWuk (ORCPT ); Mon, 1 Oct 2018 18:50:40 -0400 Received: from p5492e4c1.dip0.t-ipconnect.de ([84.146.228.193] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1g70ni-0007Zo-Rl; Mon, 01 Oct 2018 18:12:03 +0200 Date: Mon, 1 Oct 2018 18:11:59 +0200 (CEST) From: Thomas Gleixner To: Alexey Budankov cc: Jann Horn , Andi Kleen , Mark Rutland , tursulin@ursulin.net, kernel list , tvrtko.ursulin@linux.intel.com, Peter Zijlstra , the arch/x86 maintainers , "H . Peter Anvin" , acme@kernel.org, alexander.shishkin@linux.intel.com, jolsa@redhat.com, namhyung@kernel.org, maddy@linux.vnet.ibm.com, Kees Cook Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting) In-Reply-To: <22155f49-2f57-73b8-6e89-ddd8a127967b@linux.intel.com> Message-ID: References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com> <20180928164111.i6nba2j6mnegwslw@lakrids.cambridge.arm.com> <20180928172340.GA32651@tassilo.jf.intel.com> <20180928174016.i7d24puv7y3jwzf6@lakrids.cambridge.arm.com> <20180928204930.GC32651@tassilo.jf.intel.com> <20180928205907.GD32651@tassilo.jf.intel.com> <20180928212757.GE32651@tassilo.jf.intel.com> <22155f49-2f57-73b8-6e89-ddd8a127967b@linux.intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Alexey, On Mon, 1 Oct 2018, Alexey Budankov wrote: > > On Fri, Sep 28, 2018 at 11:22:37PM +0200, Jann Horn wrote: > >> > >> Is that true? IIRC if you want to use the perf tools after a kernel > >> update, you have to install a new version of perf anyway, no? > > There are usages in production where perf_event_open() syscall > accompanied with read(), mmap() etc. is embedded into application > on per-thread basis and is used for self monitoring and dynamic > execution tuning. > > There are also other Perf tools around that, for example, are > statically linked and then used as on Linux as on Android. > > Backward compatibility does matter in these cases. Well, it's nothing fundamentally new, that new features require changes to applications, libraries etc. It's nice if it can be avoided of course. From a design POV, Jann's idea to have a per PMU special file which you need to open for getting access is way better than the extra knobs. It allows to use all existing security mechanisms to be used. Peter and I discussed that and we came up with the idea that the file descriptor is not even required, i.e. you could make it backward compatible. perf_event_open() knows which PMU is associated with the event the caller tries to open. So perf_event_open() can try to access/open the special per PMU file on behalf of the caller. That should get the same security treatment like a regular open() from user space. If that succeeds, access is granted. The magic file could still be writeable for root to give general restrictions aside of the file based ones similar to what you are proposing. The analysis and documentation requirements still remain of course. Thanks, tglx