Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2862045imu; Mon, 19 Nov 2018 07:14:05 -0800 (PST) X-Google-Smtp-Source: AJdET5c16k/SMtwoKF5qEuA60iqK3AddeN7gMkSxnrecRCARATnHY2VeMzVk/xOd8nnduoWaeExL X-Received: by 2002:a62:d148:: with SMTP id t8mr10694911pfl.52.1542640445779; Mon, 19 Nov 2018 07:14:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542640445; cv=none; d=google.com; s=arc-20160816; b=tkWIUi6dp753YiSNmk66ietlMs3DU1NlM9voOkeAsM+MkEGNfpKuKOX+pfrNZWneWQ BZ1y/CdO9Lqp846yF5w5BSV/WwyZ2EiqZp09FUzDw0gT1pzNlqkpqhw5bafjD07Aacpz jidtmvzrnON3O9X6PxxjjJGsTxTI5SVez+xC1toLjbCGryzRIaz6ukG5ac5ZCtdVIaq2 yNx/2PV1JMTYwhX2A2UH6Mx45/f76rbxxpZ80wEE5Ko/7HlA+3eD8MpO3Gn3P+hyNkiq 31hbK9Hgi/Qng9kyKtHlIG5WpVJfm8tD5CWGK6tgxFriLSQIc0HsQKLRMq5C0ZWnQOaz YSkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject; bh=X0wKHRO+64L9+JgFZSC1bvtPPyAb4klhQZxfN+VCIyo=; b=NJTGgEKPg48kNOhYF7DBOeXEXyD5jnx9PeW8q0vxORRmS0a4WGmmofLO3lPoX6MHC1 HuKJ/o1GHosg+WUf0SbO9QKL80qQPeevV1SBt8Kk8qGy9r7BA6vEqo7pn0qYGJwrRPyM v5zCTwUfzStw8OKlO/qoQfxl3hV2PxstZPkmTHRleElSPlY6hXJcdvZj637Dm1AXT4BO 9Iu5XVmNuEDKvmc4qtWMdVewZtMJcik3iXY1MY/qRQS9z2GeQwonkaEja0WLe7YBfzf/ x9Z4NXQrl7+8yjut1ZYx2bw4BmklvjNSsvWsR5gsWvn3NeTkCCBvl69A1em5+7Txgvij YMuQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r22-v6si52893685pfr.18.2018.11.19.07.13.43; Mon, 19 Nov 2018 07:14:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729678AbeKTBgX (ORCPT + 99 others); Mon, 19 Nov 2018 20:36:23 -0500 Received: from mga09.intel.com ([134.134.136.24]:62656 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729548AbeKTBgX (ORCPT ); Mon, 19 Nov 2018 20:36:23 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Nov 2018 07:12:30 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,252,1539673200"; d="scan'208";a="101468297" Received: from linux.intel.com ([10.54.29.200]) by orsmga003.jf.intel.com with ESMTP; 19 Nov 2018 07:12:30 -0800 Received: from [10.252.27.191] (abudanko-mobl.ccr.corp.intel.com [10.252.27.191]) by linux.intel.com (Postfix) with ESMTP id D4D23580032; Mon, 19 Nov 2018 07:12:25 -0800 (PST) Subject: Re: [PATCH v1 1/2]: Documentation/admin-guide: update admin-guide index.rst To: Greg KH Cc: Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen , Jonatan Corbet , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , kernel-hardening@lists.openwall.com, linux-doc@vger.kernel.org References: <0ac97cd0-4773-fff6-7d4e-74c4a1f076c4@linux.intel.com> <810bb4aa-777f-77ed-19f0-882354bdf9c7@linux.intel.com> <20181119100322.GA19910@kroah.com> From: Alexey Budankov Organization: Intel Corp. Message-ID: <660fcb45-bc63-0bf2-f14b-49b13b2580a0@linux.intel.com> Date: Mon, 19 Nov 2018 18:12:23 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181119100322.GA19910@kroah.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Greg, On 19.11.2018 13:03, Greg KH wrote: > On Mon, Nov 19, 2018 at 08:41:31AM +0300, Alexey Budankov wrote: >> >> Extend index.rst index file at admin-guide root directory with >> the reference to perf-security.rst file being introduced. >> >> Signed-off-by: Alexey Budankov >> --- >> Documentation/admin-guide/index.rst | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst >> index 0873685bab0f..885cc0de9114 100644 >> --- a/Documentation/admin-guide/index.rst >> +++ b/Documentation/admin-guide/index.rst >> @@ -75,6 +75,7 @@ configure specific aspects of kernel behavior to your liking. >> thunderbolt >> LSM/index >> mm/index >> + perf-security > > You just broke the build with this patch. They need to be ordered the > other way around :( Thanks for pointing that out. The patches are now rebased according to MAINTAINERS here: git://git.lwn.net/linux.git docs-next make htmldocs SPHINXDIRS=admin-guide worked for me: ... build succeeded, 10 warnings. The HTML pages are in Documentation/output/admin-guide. firefox Documentation/output/admin-guide/index.html shows link to the document at the end of this paragraph: "The rest of this manual consists of various unordered guides on how to \ configure specific aspects of kernel behavior to your liking." Rebased changes are below for your convenience. Thanks, Alexey --- Documentation/admin-guide/index.rst | 1 + Documentation/admin-guide/perf-security.rst | 83 +++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst index 965745d5fb9a..0a491676685e 100644 --- a/Documentation/admin-guide/index.rst +++ b/Documentation/admin-guide/index.rst @@ -76,6 +76,7 @@ configure specific aspects of kernel behavior to your liking. thunderbolt LSM/index mm/index + perf-security .. only:: subproject and html diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst new file mode 100644 index 000000000000..b9564066e686 --- /dev/null +++ b/Documentation/admin-guide/perf-security.rst @@ -0,0 +1,83 @@ +.. _perf_security: + +PCL/Perf security +================= + +Overview +-------- + +Usage of Performance Counters for Linux (PCL) [1]_ , [2]_ , [3]_ can impose a +considerable risk of leaking sensitive data accessed by monitored processes. +The data leakage is possible both in scenarios of direct usage of PCL system +call API [2]_ and over data files generated by Perf tool user mode utility +(Perf) [3]_ , [4]_ . The risk depends on the nature of data that PCL performance +monitoring units (PMU) [2]_ collect and expose for performance analysis. +Having that said PCL/Perf performance monitoring is the subject for security +access control management [5]_ . + +PCL/Perf access control +----------------------- + +For the purpose of performing security checks Linux implementation splits +processes into two categories [6]_ : a) privileged processes (whose effective +user ID is 0, referred to as superuser or root), and b) unprivileged processes +(whose effective UID is nonzero). Privileged processes bypass all kernel +security permission checks so PCL performance monitoring is fully available to +privileged processes without *access*, *scope* and *resource* restrictions. +Unprivileged processes are subject to full security permission check based +on the process's credentials [5]_ (usually: effective UID, effective GID, +and supplementary group list). + +PCL/Perf unprivileged users +--------------------------- + +PCL/Perf *scope* and *access* control for unprivileged processes is governed by +perf_event_paranoid [2]_ setting: + +**-1**: + Impose no *scope* and *access* restrictions on using PCL performance + monitoring. Per-user per-cpu perf_event_mlock_kb [2]_ locking limit is + ignored when allocating memory buffers for storing performance data. + This is the least secure mode since allowed monitored *scope* is + maximized and no PCL specific limits are imposed on *resources* + allocated for performance monitoring. + +**>=0**: + *scope* includes per-process and system wide performance monitoring + but excludes raw tracepoints and ftrace function tracepoints monitoring. + CPU and system events happened when executing either in user or + in kernel space can be monitored and captured for later analysis. + Per-user per-cpu perf_event_mlock_kb locking limit is imposed but + ignored for unprivileged processes with CAP_IPC_LOCK [6]_ capability. + +**>=1**: + *scope* includes per-process performance monitoring only and excludes + system wide performance monitoring. CPU and system events happened when + executing either in user or in kernel space can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +**>=2**: + *scope* includes per-process performance monitoring only. CPU and system + events happened when executing in user space only can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +**>=3**: + Restrict *access* to PCL performance monitoring for unprivileged processes. + This is the default on Debian and Android [7]_ , [8]_ . + +Bibliography +------------ + +.. [1] ``_ +.. [2] ``_ +.. [3] ``_ +.. [4] ``_ +.. [5] ``_ +.. [6] ``_ +.. [7] ``_ +.. [8] ``_ +