Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4801241ybl; Mon, 13 Jan 2020 21:19:10 -0800 (PST) X-Google-Smtp-Source: APXvYqzfwFlNzNYMpZjdwdzRCoyN7oMD+/gMxw2iKWMgaTGaqyIybyj1plSBxwCFUizcHWG1I3CY X-Received: by 2002:a54:401a:: with SMTP id x26mr14830350oie.101.1578979150625; Mon, 13 Jan 2020 21:19:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578979150; cv=none; d=google.com; s=arc-20160816; b=cfaid3IQv9W7Q4lyotZeIpj1F/cDnuPrGH2nGp0jI657moS6GLZXXreiCskP/ImgwN wZUTkmyB4zhtGHSxx6nQhzOAsUkBdZJEw8vYD/Sua2uwC2HojSHKd4XPhf75HBD+g6JS vgNN9kwzMIenPC0q4HmAHWK3fzsX/+ilHFevQTf7K6DpTs9KLckT47ZPg0achOlRsbRc NV6s5iPCYlmw5G5zxqoU46fZZWPpUW4uryNE/cZi5a2fv7EJPmwX/MC0zI3E8b0qkpww j01upCnymlUfwgc9vDwjcHXicgzKqFZN/zwUJ3SP4cJJNaJeei7cTZ3V0xiD0Dr4t207 Lfbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YF7sH12nM8SqMP6NliChTSRyyRsEg8Bqgkiw1eGtd14=; b=Z+ELFCYrFbkcyRAUN5jmN/DslBCdvXa3QkCuzpGDzAv4TAxfxMfVcvvksMjqLEyQCf M/4scnA1TSPuPqlZx2IxBv3go6CIrPk1GGlGt2vk2x/Ct9D2BJzn/zB1eTOxR37b3WyO Zt2sGcj6L8C13OkQ1fFK4Ayh23ZdNVFUHFCvyLtFIfu21A9Wka5mUv+JrIIF5YF5d6Y4 KRQVYpMqtKfEPldpCdSOALn6LyZObjupz7oK2OrEXYtfj043i2789LvZOSRBjF0MkVvR dgGf8OPdIE1jQ4B14aLEFVfrGnCzwCOSLrkBg1VKZPQiHU4YLw4FV4g7wnlK0/eKk6y3 gK8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=je1otCBT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s6si7710375otp.126.2020.01.13.21.18.57; Mon, 13 Jan 2020 21:19:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=je1otCBT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726195AbgANFSE (ORCPT + 99 others); Tue, 14 Jan 2020 00:18:04 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:44833 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725842AbgANFSE (ORCPT ); Tue, 14 Jan 2020 00:18:04 -0500 Received: by mail-lj1-f194.google.com with SMTP id u71so12746749lje.11 for ; Mon, 13 Jan 2020 21:18:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YF7sH12nM8SqMP6NliChTSRyyRsEg8Bqgkiw1eGtd14=; b=je1otCBT2BCUAoVS3qhGpG/ju3P/zmJbBw1f252ea28TDW17YlgfZ61cZYKX3Pzz3H fxVHjfL39f0PHeOAkRzst2Sj8enNPNjt2bb+qnpSSeHgmrExwaHMcl7xa8StrUuAcxsv MI0wmR0qw4XTJG2ys7QOXGCIr3XtCEKvT8EorRHU9x/b+RpI2oP2SWeUEdRgj765m6XX Xrqe5sj0CC16vlpF7Oe2a8Boz9DpYojvGiAIoiXxBtXfGdKXuxZB4OzDLV6mBs8gyWn8 Sx56rJeR6+Evf8cahsZ3usZJSXrJxMkEU/tbVSmLtraQxKnU6IZAGEmp1mx7TaXdRzBP WNmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YF7sH12nM8SqMP6NliChTSRyyRsEg8Bqgkiw1eGtd14=; b=pxGETn0Ii6p0ibbWhqxtrIVEK/KE4BdFZteK8XHU5KVxzAuj6prYqvMRy1skbiNXh2 Mmv4W3lkbZf3bvdTig6D5v9uYlkYQP4ZVcjXeIRVKFwbGsJxa+CxYkCuWG0Kl1IaiCp6 qjfp03NAcxNyFffR8VNrY0srt9OTWRPjOMAOp15Uk9EgcVDGIcpuUG9GFOOyE2uIS8Fw xqTbxXDGy7uH9BRKEp79WJd7hADSIoDHieXZqJxP13RoSTHTEHC7IN8ubPWj6UFAMYnF HsjnQb0+GLF/tYi6afcfKP7M59+jjozSq44B8sx8FdAHditTLxGcak1Y/vSOf1JFJhMp Uo/w== X-Gm-Message-State: APjAAAU4UtcXyXHsna/cKH3/98ZDCXfcLJpTFrkZZ4nkeI/PcyxquNAN vP8hO+8U0i86yy/AZQRvnO1OcRr6HEED5ySjT+4= X-Received: by 2002:a2e:990e:: with SMTP id v14mr12219066lji.23.1578979081450; Mon, 13 Jan 2020 21:18:01 -0800 (PST) MIME-Version: 1.0 References: <20200108160713.GI2844@hirez.programming.kicks-ass.net> <20200110140234.GO2844@hirez.programming.kicks-ass.net> <20200111005213.6dfd98fb36ace098004bde0e@kernel.org> <20200110164531.GA2598@kernel.org> <20200111084735.0ff01c758bfbfd0ae2e1f24e@kernel.org> <2B79131A-3F76-47F5-AAB4-08BCA820473F@fb.com> <5e191833.1c69fb81.8bc25.a88c@mx.google.com> <158a4033-f8d6-8af7-77b0-20e62ec913b0@linux.intel.com> <20200114122506.3cf442dc189a649d4736f86e@kernel.org> In-Reply-To: <20200114122506.3cf442dc189a649d4736f86e@kernel.org> From: Alexei Starovoitov Date: Mon, 13 Jan 2020 21:17:49 -0800 Message-ID: Subject: Re: [PATCH v4 2/9] perf/core: open access for CAP_SYS_PERFMON privileged process To: Masami Hiramatsu Cc: Alexey Budankov , Arnaldo Carvalho de Melo , Song Liu , Peter Zijlstra , Ingo Molnar , "jani.nikula@linux.intel.com" , "joonas.lahtinen@linux.intel.com" , "rodrigo.vivi@intel.com" , Alexei Starovoitov , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , "james.bottomley@hansenpartnership.com" , Serge Hallyn , James Morris , Will Deacon , Mark Rutland , Casey Schaufler , Robert Richter , Jiri Olsa , Andi Kleen , Stephane Eranian , Igor Lubashev , Alexander Shishkin , Namhyung Kim , linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 13, 2020 at 7:25 PM Masami Hiramatsu wrote: > > On Sat, 11 Jan 2020 12:57:18 +0300 > Alexey Budankov wrote: > > > > > On 11.01.2020 3:35, arnaldo.melo@gmail.com wrote: > > > > Message-ID: > > > > > > On January 10, 2020 9:23:27 PM GMT-03:00, Song Liu wrote: > > >> > > >> > > >>> On Jan 10, 2020, at 3:47 PM, Masami Hiramatsu > > >> wrote: > > >>> > > >>> On Fri, 10 Jan 2020 13:45:31 -0300 > > >>> Arnaldo Carvalho de Melo wrote: > > >>> > > >>>> Em Sat, Jan 11, 2020 at 12:52:13AM +0900, Masami Hiramatsu escreveu: > > >>>>> On Fri, 10 Jan 2020 15:02:34 +0100 Peter Zijlstra > > >> wrote: > > >>>>>> Again, this only allows attaching to previously created kprobes, > > >> it does > > >>>>>> not allow creating kprobes, right? > > >>>> > > >>>>>> That is; I don't think CAP_SYS_PERFMON should be allowed to create > > >>>>>> kprobes. > > >>>> > > >>>>>> As might be clear; I don't actually know what the user-ABI is for > > >>>>>> creating kprobes. > > >>>> > > >>>>> There are 2 ABIs nowadays, ftrace and ebpf. perf-probe uses ftrace > > >> interface to > > >>>>> define new kprobe events, and those events are treated as > > >> completely same as > > >>>>> tracepoint events. On the other hand, ebpf tries to define new > > >> probe event > > >>>>> via perf_event interface. Above one is that interface. IOW, it > > >> creates new kprobe. > > >>>> > > >>>> Masami, any plans to make 'perf probe' use the perf_event_open() > > >>>> interface for creating kprobes/uprobes? > > >>> > > >>> Would you mean perf probe to switch to perf_event_open()? > > >>> No, perf probe is for setting up the ftrace probe events. I think we > > >> can add an > > >>> option to use perf_event_open(). But current kprobe creation from > > >> perf_event_open() > > >>> is separated from ftrace by design. > > >> > > >> I guess we can extend event parser to understand kprobe directly. > > >> Instead of > > >> > > >> perf probe kernel_func > > >> perf stat/record -e probe:kernel_func ... > > >> > > >> We can just do > > >> > > >> perf stat/record -e kprobe:kernel_func ... > > > > > > > > > You took the words from my mouth, exactly, that is a perfect use case, an alternative to the 'perf probe' one of making a disabled event that then gets activated via record/stat/trace, in many cases it's better, removes the explicit probe setup case. > > > > Arnaldo, Masami, Song, > > > > What do you think about making this also open to CAP_SYS_PERFMON privileged processes? > > Could you please also review and comment on patch 5/9 for bpf_trace.c? > > As we talked at RFC series of CAP_SYS_TRACING last year, I just expected > to open it for enabling/disabling kprobes, not for creation. > > If we can accept user who has no admin priviledge but the CAP_SYS_PERFMON, > to shoot their foot by their own risk, I'm OK to allow it. (Even though, > it should check the max number of probes to be created by something like > ulimit) > I think nowadays we have fixed all such kernel crash problems on x86, > but not sure for other archs, especially on the devices I can not reach. > I need more help to stabilize it. I don't see how enable/disable is any safer than creation. If there are kernel bugs in kprobes the kernel will crash anyway. I think such partial CAP_SYS_PERFMON would be very confusing to the users. CAP_* is about delegation of root privileges to non-root. Delegating some of it is ok, but disallowing creation makes it useless for bpf tracing, so we would need to add another CAP later. Hence I suggest to do it right away instead of breaking sys_perf_even_open() access into two CAPs.