Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1834604ybh; Tue, 14 Jul 2020 08:30:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyj7FaPEmdGdfpmX++e387s6sJylr3+/gVB+qZUOOli24EAse7KICbzvAWFKTKB9gFbDD0F X-Received: by 2002:a17:906:e213:: with SMTP id gf19mr4882374ejb.433.1594740645201; Tue, 14 Jul 2020 08:30:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594740645; cv=none; d=google.com; s=arc-20160816; b=0u06qCKn/rYgtVNZ10TDfG/ulwgkWXcq5wbg82GayJ36Akj10aTNwjZvbJYZVetu+W ur95hAFTk6vzt8yqA7rOUrTWGXi+y29kvfzCVKsnLhOaBpyHT0x2fdQbXSM9Pzumh3Rs HRwScEbJ+pYsATS/No43bhx+8mXtxO6G7Yu9Yt10OfoPPya+Abo1rE0E7JXHupsJ/iGD IRoHXFpq++l2pA3qlLPOJONOYp2jb07QSwaFeVlwhYBPDV+UdJtpSKiNFYpYRHJwaitd +ra98HIubHKib87grkNwFMEFeGfbr7Ic3tRKUgRGLxnyGgqdPPzhp3yU5dMwFCQjA0LW e0CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=MIhabHYIpQLrnx4W095fUY6Pw7m5DJp42ViL3RwPnL8=; b=JJzMhOTd0c7cNq1CXhLa3i5I2+/ObJ42U6O8e5999WHrlN6PXaetZjqeLrDOTukNzz wmFSaDw7hDoTogVC8hvFdi/NmEMaH9SYGFsvV0p1rpV7Og0HQOKi/jPhAmjaEBTSGf+a bHSBtnTaGxNGRKLUeeBtrI1Va+A6wZLuh8P9KJU7mflwfqxsVZsHwhSQU2S11K23Rb2j /CrOIUhxDyD3qbBqK8Ehn1F3gjFoMJaUg4i/MUahd/QwZ+aReQawzqotiNwhDNR0M/yp UhORyb5F3eYGXwickIkFnw0O48ZRTGOTYRTyC3PFkzzX0NA9AQcmtQKRojrgLcYs11d4 IlQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="IlF+/jEn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bw19si11356194ejb.729.2020.07.14.08.30.20; Tue, 14 Jul 2020 08:30:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="IlF+/jEn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726798AbgGNP1l (ORCPT + 99 others); Tue, 14 Jul 2020 11:27:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:47622 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725884AbgGNP1k (ORCPT ); Tue, 14 Jul 2020 11:27:40 -0400 Received: from quaco.ghostprotocols.net (unknown [179.97.37.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E4F1F221EF; Tue, 14 Jul 2020 15:27:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594740460; bh=QoYjwUwCr8iv3vS0vUx9ZHDJWPjQ+QNqL1IS1uCDfws=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IlF+/jEnPt4EseeRoIoPFjobQsVIxxHoMUxeaU6x4iPB5I+zcKXAo29Qsj3LrlSOt F6aKwji3bHjIa+iFYvuEuppwWSC+Pr6wSidVxI+lDpf5/hUfxbTwvOv1iYZzWp3Zte 6KaHlCF6JXLRFZMGMOyPUXEr32zu95cx5ogg8TB4= Received: by quaco.ghostprotocols.net (Postfix, from userid 1000) id 1478540094; Tue, 14 Jul 2020 12:27:38 -0300 (-03) Date: Tue, 14 Jul 2020 12:27:38 -0300 From: Arnaldo Carvalho de Melo To: Peter Zijlstra Cc: Alexey Budankov , Ravi Bangoria , Alexei Starovoitov , Ingo Molnar , James Morris , Namhyung Kim , Serge Hallyn , Jiri Olsa , Song Liu , Andi Kleen , Stephane Eranian , Igor Lubashev , Thomas Gleixner , linux-kernel , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org Subject: Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability Message-ID: <20200714152738.GB43671@kernel.org> References: <76718dc6-5483-5e2e-85b8-64e70306ee1f@linux.ibm.com> <7776fa40-6c65-2aa6-1322-eb3a01201000@linux.intel.com> <20200710170911.GD7487@kernel.org> <0d2e2306-22b2-a730-dc3f-edb3538b6561@linux.intel.com> <20200713121746.GA7029@kernel.org> <0fadcf78-8b0e-ed03-a554-cc172b7d249c@linux.intel.com> <20200713185152.GA18094@kernel.org> <20200714105934.GU10769@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200714105934.GU10769@hirez.programming.kicks-ass.net> X-Url: http://acmel.wordpress.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Tue, Jul 14, 2020 at 12:59:34PM +0200, Peter Zijlstra escreveu: > On Mon, Jul 13, 2020 at 03:51:52PM -0300, Arnaldo Carvalho de Melo wrote: > > > > > diff --git a/kernel/events/core.c b/kernel/events/core.c > > > > index 856d98c36f56..a2397f724c10 100644 > > > > --- a/kernel/events/core.c > > > > +++ b/kernel/events/core.c > > > > @@ -11595,7 +11595,7 @@ SYSCALL_DEFINE5(perf_event_open, > > > > * perf_event_exit_task() that could imply). > > > > */ > > > > err = -EACCES; > > > > - if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) > > > > + if (!perfmon_capable() && !ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) > > > > goto err_cred; > > > > } > > > >> makes monitoring simpler and even more secure to use since Perf tool need > > > >> not to start/stop/single-step and read/write registers and memory and so on > > > >> like a debugger or strace-like tool. What do you think? > > > > I tend to agree, Peter? > So this basically says that if CAP_PERFMON, we don't care about the > ptrace() permissions? Just like how CAP_SYS_PTRACE would always allow > the ptrace checks? > I suppose that makes sense. Yeah, it in fact addresses the comment right above it: if (task) { err = mutex_lock_interruptible(&task->signal->exec_update_mutex); if (err) goto err_task; /* * Reuse ptrace permission checks for now. * * We must hold exec_update_mutex across this and any potential * perf_install_in_context() call for this new event to * serialize against exec() altering our credentials (and the * perf_event_exit_task() that could imply). */ err = -EACCES; if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) goto err_cred; } that "for now" part :-) Idea is to not require CAP_PTRACE for that, i.e. the attack surface for the perf binary is reduced. - Arnaldo