Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2566218imu; Mon, 19 Nov 2018 02:37:32 -0800 (PST) X-Google-Smtp-Source: AJdET5dlq2pIlE1K+iH4YHS94RuvYuU4AffoAxSYExe4U5asmgfYaM1fqBDAkVWZrzFR32vVTrkF X-Received: by 2002:a63:5a57:: with SMTP id k23mr19444968pgm.5.1542623852491; Mon, 19 Nov 2018 02:37:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542623852; cv=none; d=google.com; s=arc-20160816; b=QuSUonJ621YC7V6829D809O+yT76n9qW7UEduGbnbU4b5ExyQICaZXN6S6ENyMJkLe 6VL3rsHHPomM37D7oqjcShD8KibOWsumZzFHOLUfjrruF63U+/e3GbNwvFxgFTFob2cG H7Upg9eU5Zf2+2ErWTJOF5MfhZYwpiyfV7lt58l0MfPKgRhoLbNjmKV3ex2UwHQba7wm lf74c5ji9wczACOcTAE3VgV+GRZVNLf+WDir7S06Dp0sdSjICCd9tgiwGh5e3JvsKSQ2 l+WEPV6VS951buudN5/psv8617Kr49tpaNcys3yoZta2w2Z9PWdbkSzyyWN51iI6sRv9 9edA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date; bh=qAWwY7HzNS9LzsgTOIdkeVPcyo6UYU4FRQaA6J5QH68=; b=OsPW0YduIpQIge38tncds0dExByoEPEgq0X+VQ2wRPn9dnYBN0G/1EHOvvNCo8KHx+ iGH9PSQPMoqBc9II+dHWzDVTF8eQNEhewdzIMy4me8pgmGYw2bIblmKRyHX/Mj3/DEj2 z4eYZKUsoMZeEARd2Qetq9l6nbsYRGvewPIIjyl/QVKW+ZRsY/yXPUnRsct1c330eYU3 4+mGJ88BarFFGkeDVKNIEtMeBLbzG8y5Vh8mS7Y7+tY4RO845AclcODgo9BcdYYAXW5r rHMjWtTbvvERb+KJR6Pu4sS8urgmuHJc1oS6fstR8EK3NqHO9/Ng+UXZBZAPvTkwt3JG 4JyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=sLd4Hzz5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j35si23100256pgl.223.2018.11.19.02.37.17; Mon, 19 Nov 2018 02:37:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=sLd4Hzz5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728465AbeKSU7Z (ORCPT + 99 others); Mon, 19 Nov 2018 15:59:25 -0500 Received: from mail-40135.protonmail.ch ([185.70.40.135]:48667 "EHLO mail-40135.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727733AbeKSU7Z (ORCPT ); Mon, 19 Nov 2018 15:59:25 -0500 Date: Mon, 19 Nov 2018 10:35:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=default; t=1542623763; bh=qAWwY7HzNS9LzsgTOIdkeVPcyo6UYU4FRQaA6J5QH68=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=sLd4Hzz57knAAGkS5w0d9mJdLPWeXy5IbHCZpbmRR4KRNkGrpk+WgnvlsfXMCE7sk aQGMEIwOioDuwdwaHlK1XUq7vNOiaugRifN99fgCWJWyScP/KeGx1nR7RdFjcEbz4l pqzEztIsWGhxO7qxXsNyy/gqNadSouA4fpz/5v4g= To: Alexey Budankov From: Jordan Glover Cc: Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen , Jonatan Corbet , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" Reply-To: Jordan Glover Subject: Re: [PATCH v1 2/2]: Documentation/admin-guide: introduce perf-security.rst file Message-ID: In-Reply-To: References: <0ac97cd0-4773-fff6-7d4e-74c4a1f076c4@linux.intel.com> Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Monday, November 19, 2018 6:42 AM, Alexey Budankov wrote: > Implement initial version of perf-security.rst documentation file > initially covering security concerns related to PCL/Perf performance > monitoring in multiuser environments. > > Suggested-by: Thomas Gleixner tglx@linutronix.de > Signed-off-by: Alexey Budankov alexey.budankov@linux.intel.com > > Documentation/admin-guide/perf-security.rst | 83 ++++++++++++++++++++++++= +++++ > 1 file changed, 83 insertions(+) > > diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/= admin-guide/perf-security.rst > new file mode 100644 > index 000000000000..b9564066e686 > --- /dev/null > +++ b/Documentation/admin-guide/perf-security.rst > @@ -0,0 +1,83 @@ > +.. perf_security: > + > +PCL/Perf security > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > + > +Overview > +-------- > + > +Usage of Performance Counters for Linux (PCL) [1] , [2]_ , [3]_ can impo= se a+considerable risk of leaking sensitive data accessed by monitored proc= esses. > +The data leakage is possible both in scenarios of direct usage of PCL sy= stem > +call API [2]_ and over data files generated by Perf tool user mode utili= ty > +(Perf) [3]_ , [4]_ . The risk depends on the nature of data that PCL per= formance > +monitoring units (PMU) [2]_ collect and expose for performance analysis. > +Having that said PCL/Perf performance monitoring is the subject for secu= rity > +access control management [5]_ . > + > +PCL/Perf access control > +----------------------- > + > +For the purpose of performing security checks Linux implementation split= s > +processes into two categories [6]_ : a) privileged processes (whose effe= ctive > +user ID is 0, referred to as superuser or root), and b) unprivileged pro= cesses > +(whose effective UID is nonzero). Privileged processes bypass all kernel > +security permission checks so PCL performance monitoring is fully availa= ble to > +privileged processes without access, scope and resource restrictions. > +Unprivileged processes are subject to full security permission check bas= ed > +on the process's credentials [5]_ (usually: effective UID, effective GID= , > +and supplementary group list). > + > +PCL/Perf unprivileged users > +--------------------------- > + > +PCL/Perf scope and access control for unprivileged processes is governed= by > +perf_event_paranoid [2]_ setting: > + > +-1: > > - Impose no *scope* and *access* restrictions on using PCL performa= nce > > > - monitoring. Per-user per-cpu perf_event_mlock_kb [2]_ locking lim= it is > > > - ignored when allocating memory buffers for storing performance da= ta. > > > - This is the least secure mode since allowed monitored *scope* is > > > - maximized and no PCL specific limits are imposed on *resources* > > > - allocated for performance monitoring. > > > - > > +>=3D0: > > - *scope* includes per-process and system wide performance monitori= ng > > > - but excludes raw tracepoints and ftrace function tracepoints moni= toring. > > > - CPU and system events happened when executing either in user or > > > - in kernel space can be monitored and captured for later analysis. > > > - Per-user per-cpu perf_event_mlock_kb locking limit is imposed but > > > - ignored for unprivileged processes with CAP_IPC_LOCK [6]_ capabil= ity. > > > - > > +>=3D1: > > - *scope* includes per-process performance monitoring only and excl= udes > > > - system wide performance monitoring. CPU and system events happene= d when > > > - executing either in user or in kernel space can be monitored and > > > - captured for later analysis. Per-user per-cpu perf_event_mlock_kb > > > - locking limit is imposed but ignored for unprivileged processes w= ith > > > - CAP_IPC_LOCK capability. > > > - > > +>=3D2: > > - *scope* includes per-process performance monitoring only. CPU and= system > > > - events happened when executing in user space only can be monitore= d and > > > - captured for later analysis. Per-user per-cpu perf_event_mlock_kb > > > - locking limit is imposed but ignored for unprivileged processes w= ith > > > - CAP_IPC_LOCK capability. > > > - > > +>=3D3: > > - Restrict *access* to PCL performance monitoring for unprivileged = processes. > > > - This is the default on Debian and Android [7]_ , [8]_ . AFAIK there is no support for '+>=3D3' in mainline kernel[1]. Debian and Android use out-of-tree patch for that[2]. Maybe someone should upstream it? Jordan [1] https://github.com/torvalds/linux/blob/master/kernel/events/core.c#L395 [2] https://salsa.debian.org/kernel-team/linux/blob/master/debian/patches/f= eatures/all/security-perf-allow-further-restriction-of-perf_event_open.patc= h