Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp960153imm; Mon, 1 Oct 2018 23:41:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV62XHzg+ErnFyhIA9IhxGNqTKx7etQEajPwUl/POw22M9EEQ3+PbTD1baIkOfww7BXMKF5bD X-Received: by 2002:a17:902:ea:: with SMTP id a97-v6mr13363863pla.164.1538462471585; Mon, 01 Oct 2018 23:41:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538462471; cv=none; d=google.com; s=arc-20160816; b=s6C2QGk8iZrN6ei/uOxS+b1MTa9zBoY0W/TSE5Prw6Ah7BXJ3nrGp7GoHzqzxZpeAJ oO+U+txsfCYuD/nNHv8moa7gChyqOQtcUGCkOw8+Lw2EEhMEELdXjWVfHXyB5sQ9gURN CfLqmQscWMliJ8ujJNlYyt1DtGHQ9mRC1OHB6EXcd0Wr1WohF/7Hca1BNnHoKw0xEUwc s7lwh4fGkzHK30rM+t/ejRjN+KlzTrT578DT7jLFVpcl+sNtm2rEgeH94BaDrLMk7c2V jY738SUs3yN/GYwkI5GY1KvmQEDAiaKXAzfyJICOxhYb5gpEIAZON7RvkVk6RCx4N8oZ EvMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=1AvmQomqHiBSS9w65PJcC9fT8Ifv9sjf8sypJbMxcMw=; b=RtwWZodoQ5x+IAUDbBcJko5rSU30sLY0B9Wv6IhH1eH9wz5MAL8C6vQCfVJnPSYF1u K3G6FVblTxQr3HgPDLOz0bq0AIlBmDXc2EMM5CHuhgO2y7GM8rjXSgzmt6ZO+Be+OBDU nSz7sZbGHezT3duzcE/lV6rmQiqCVEJhXdO8Dt+01w2wafqPr5lMLrnnbr4392lyVYyl xFeNUjZKtRvxJvGNOs6xUEE3y9Go5OrUGlCgnrUfiTuik4RQKaNXkrCXoHekIQiAMBoV T7zy8/k+JXoPzlQToLBGnDkYIReiLqrgGERwbIkLqCG2Bf338nWZ4WixCiLJUwMUrSla Wugw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v70-v6si14911583pfa.103.2018.10.01.23.40.56; Mon, 01 Oct 2018 23:41:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726747AbeJBNWL (ORCPT + 99 others); Tue, 2 Oct 2018 09:22:11 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:58949 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726305AbeJBNWL (ORCPT ); Tue, 2 Oct 2018 09:22:11 -0400 Received: from p5492e4c1.dip0.t-ipconnect.de ([84.146.228.193] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1g7EM5-00036k-Ug; Tue, 02 Oct 2018 08:40:26 +0200 Date: Tue, 2 Oct 2018 08:40:25 +0200 (CEST) From: Thomas Gleixner To: Alexey Budankov cc: Jann Horn , Mark Rutland , Peter Zijlstra , Kees Cook , Andi Kleen , tursulin@ursulin.net, kernel list , tvrtko.ursulin@linux.intel.com, the arch/x86 maintainers , "H . Peter Anvin" , acme@kernel.org, alexander.shishkin@linux.intel.com, jolsa@redhat.com, namhyung@kernel.org, maddy@linux.vnet.ibm.com Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting) In-Reply-To: <905796f8-4704-66a8-ee0a-ac8aba90b179@linux.intel.com> Message-ID: References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com> <20180928164111.i6nba2j6mnegwslw@lakrids.cambridge.arm.com> <20180928172340.GA32651@tassilo.jf.intel.com> <20180928174016.i7d24puv7y3jwzf6@lakrids.cambridge.arm.com> <20180928204930.GC32651@tassilo.jf.intel.com> <20180928205907.GD32651@tassilo.jf.intel.com> <20180928212757.GE32651@tassilo.jf.intel.com> <22155f49-2f57-73b8-6e89-ddd8a127967b@linux.intel.com> <905796f8-4704-66a8-ee0a-ac8aba90b179@linux.intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-784198692-1538462425=:32062" X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-784198692-1538462425=:32062 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Alexey, On Mon, 1 Oct 2018, Alexey Budankov wrote: > > perf_event_open() knows which PMU is associated with the event the caller > > tries to open. So perf_event_open() can try to access/open the special per > > PMU file on behalf of the caller. That should get the same security > > treatment like a regular open() from user space. If that succeeds, access > > is granted. > > > > The magic file could still be writeable for root to give general > > restrictions aside of the file based ones similar to what you are > > proposing. > > Let me wrap up all the requirements and ideas that have been captured so far. > > 1. A file [1] is added so that it can belong to a group of users allowed to use ${PMU}, > something like this: > > ls -alh /sys/bus/event_source/devices/${PMU}/caps/ > total 0 > drwxr-xr-x 2 root root 0 Oct 1 20:36 . > drwxr-xr-x 6 root root 0 Oct 1 20:36 .. > -r--r--r-- 1 root root 4.0K Oct 1 20:36 branches > -r--r--r-- 1 root root 4.0K Oct 1 20:36 max_precise > -r--r--r-- 1 root root 4.0K Oct 1 20:36 pmu_name > -rw-r--r-- root ${PMU}_users paranoid <=== Right, though I personaly prefer something like 'access_control' as file name, but that's bike shed painting realm. > Modifications of file content are allowed to those who can > modify /proc/sys/kernel/perf_event_paranoid setting. > > 2. Semantics and content of the introduced paranoid file is > similar to /proc/sys/kernel/perf_even_paranoid [2]: > > The perf_event_paranoid file can be set to restrict access > to the performance counters. > > 2 allow only user-space measurements (default since Linux 4.6). > 1 allow both kernel and user measurements (default before Linux 4.6). > 0 allow access to CPU-specific data but not raw trace‐point samples. > -1 no restrictions. > > The existence of the perf_event_paranoid file is the official method > for determining if a kernel supports perf_event_open(). > > 3. Every time an event for ${PMU} is created over perf_event_open(): > a) the calling thread's euid is checked to belong to ${PMU}_users group > and if it does then the event's fd is allocated; Not only the user group, it really should do the full security checks which are done on open(). > b) then traditional checks against perf_event_pranoid content are applied; Hmm, not sure about that because that might be conflicting. > c) if the file doesn't exist the access is governed by global setting > at /proc/sys/kernel/perf_even_paranoid; Correct. > 4. Documentation/admin-guide/perf-security.rst file is introduced that: 0) Better documentation of /proc/sys/kernel/perf_even_paranoid > a) contains general explanation for fine grained access control; > b) contains a section with guidance about scope and risk for each PMU > which is enabled for fine grained access control; > c) file is extended when more PMUs are enabled for fine grain control; Thanks, tglx --8323329-784198692-1538462425=:32062--