Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5293915pxj; Wed, 26 May 2021 07:22:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEo8YlipdNMiWyqDLr5XiYILYe+zC5shaE7Wquwx8MMyiTMd8tSHJRsscegSp1wQF49zXQ X-Received: by 2002:a02:294d:: with SMTP id p74mr3470106jap.132.1622038955998; Wed, 26 May 2021 07:22:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622038955; cv=none; d=google.com; s=arc-20160816; b=m/tpprujW+JgWo8rNv4/rk2MUb8ZECjTTg2ZmP118x6ecP3J9WedbBUCHTpteskBG3 vIxQ00nHzgbZxGVd0ivSkLfoBU/DHJPnYXho8/lwh6Hm/z3ztNnShpeVvAY0O4Yp16aL 5ZpMeorcKj/lHjBcJVs65eTPz+AZtlfSW6z7pr57L4MuLv4c/PKdZgtaU4+RqdRACRzr 3JVqExrFYMDebdWrRpRP8ddoKgPxxPgk6n+Q6fFbGyI8APyIOI2NhJ6BA+ldrIeQmSVn qD1s8umqgOibzGSqE/QOkZMccOxlDFyKRxiod6wdlMew83wGSmACN5Jq3HRiwzYGryx6 VTzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=C31iPrXHyUi0kVsJC/292gXeQjR1Bi/o6zbB6RykqfU=; b=W38JZenEGzLGKMQV8UG2wUdV0MqdefXRpBoQffW1fSRk+gJkDloguAAtXGdwoDWXqD SoAmCOJfcy0GZWaRXqvMPv3NSRiUrlQWisu6Z6V9/cLpXsZuXUW1hCyUtGbWwgvRQg0S oNUyoouvQGqKXFZ6zNZSN0gtfc+FJTDc4QdZq8zXZ4V6lgpjKjewHXzWftVacR9Pqska reHOmzT7aeenbrjPBCvkO9hiK1/frQqq+BKzzxKdiAUOhMrfnYbFXrWwl+KF6HmcgRYX QNBbqe7wWH2G1p40C+BBpdz6TqRrjMBQnzFzf/qNx9TB9w8bpaBwAVj/OzQlIR/3zslT l70g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CebbaxlQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si20363991ilj.54.2021.05.26.07.22.21; Wed, 26 May 2021 07:22:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CebbaxlQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234432AbhEZOV4 (ORCPT + 99 others); Wed, 26 May 2021 10:21:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:48552 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234096AbhEZOVz (ORCPT ); Wed, 26 May 2021 10:21:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5C0F061248; Wed, 26 May 2021 14:20:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1622038824; bh=o7LDYAS4HfE7cCCWNy5DV9wNf+3T7eAq6p3G+I2eXqo=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=CebbaxlQGcwFSBpCnWx3W4lVbOuIOcCFJ5f1Q0bEQb/jry/nnCE3XmKLt+sbssbwi /zYZpxkEAs17uSdOeAa0J8sxuiMEL2ZHlXPLQkzYf0doTeH/OX/n03S1kqhWTpdGio 42wwdVMzrsp5J/oiYISO+CqRwAQm8ljPFMxEw/zP2OL6Ud0E1zCpuSE4pcraaf6LRf YkSgJl9xo1x3BtAgQzSqmuuTgjmZ4EOHPe7UyVSdPYRrAiZjWZ0lL81U8ZEeWX/hwx MOijTdWDPXHe953SR21RRZpFZ/1m8oBCroZIqJxTsCNMc4idBh2aMqnt8lsgWKaKxV 0b3QujrKXQCVQ== Date: Wed, 26 May 2021 23:20:20 +0900 From: Masami Hiramatsu To: Arnaldo Carvalho de Melo Cc: Ravi Bangoria , Jiri Olsa , linux-kernel@vger.kernel.org, aneesh.kumar@linux.ibm.com, Peter Zijlstra , Ingo Molnar , Namhyung Kim , Ian Rogers Subject: Re: [PATCH] perf probe: Provide more detail with relocation warning Message-Id: <20210526232020.c1632c2285af811c7531b3cc@kernel.org> In-Reply-To: References: <20210525043744.193297-1-ravi.bangoria@linux.ibm.com> <20210525214858.33a66846ac09e499c3268a63@kernel.org> <05e32c82-1009-03ba-d973-8b1bc0582ce2@linux.ibm.com> <20210526153340.a49ba8292f201493990f210c@kernel.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 26 May 2021 09:56:29 -0300 Arnaldo Carvalho de Melo wrote: > Em Wed, May 26, 2021 at 03:33:40PM +0900, Masami Hiramatsu escreveu: > > On Wed, 26 May 2021 10:23:18 +0530 Ravi Bangoria wrote: > > > On 5/25/21 6:18 PM, Masami Hiramatsu wrote: > > > > On Tue, 25 May 2021 10:07:44 +0530 Ravi Bangoria wrote: > > > > >> When run as normal user with default sysctl kernel.kptr_restrict=0 > > > >> and kernel.perf_event_paranoid=2, perf probe fails with: > > > > >> $ ./perf probe move_page_tables > > > >> Relocated base symbol is not found! > > > > >> The warning message is not much informative. The reason perf > > > >> fails is because /proc/kallsyms is restricted by > > > >> perf_event_paranoid=2 for normal user and thus perf fails to read > > > >> relocated address of the base symbol. > > > > >> Tweaking kptr_restrict and perf_event_paranoid can change the > > > >> behavior of perf probe. Also, running as root or privileged user > > > >> works too. Add these details in the warning message. > > > > >> Plus, kmap->ref_reloc_sym might not be always set even if > > > >> host_machine is initialized. Above is the example of the same. > > > >> Remove that comment. > > > > > Yes, those are restricted in some cases. Anyway without priviledged > > > > (super) user, perf probe can not set the probe in ftrace. > > > > > Hmm, I think it should check the effective user-id at first. If it > > > > is not super user and the action will access tracefs and kallsyms, > > > > it should warn at that point. > > > > If kptr_restrict=2, perf probe fails with same error even for root user. > > > That's why I thought to just change this warning message. > > > Ah, yes. In that case, perf probe must not use the base symbol. > > (like -D option) > > OK, then, let's merge this fix. > > > Acked-by: Masami Hiramatsu > > Thanks, applied as it improves the current situation. > > But as a follow up, to further improve this, we can reuse what 'perf trace' has: > > $ perf trace sleep 1 > Error: No permissions to read /sys/kernel/tracing/events/raw_syscalls/sys_(enter|exit) > Hint: Try 'sudo mount -o remount,mode=755 /sys/kernel/tracing/' > $ sudo mount -o remount,mode=755 /sys/kernel/tracing/ > $ perf trace sleep 1 > Error: Permission denied. > Hint: Check /proc/sys/kernel/perf_event_paranoid setting. > Hint: For your workloads it needs to be <= 1 > Hint: For system wide tracing it needs to be set to -1. > Hint: Try: 'sudo sh -c "echo -1 > /proc/sys/kernel/perf_event_paranoid"' > Hint: The current value is 2. > $ OK, let me check this. BTW, does perf_event_paranoid affect only perf syscall (and kallsyms), not the tracefs correct? > I.e. go the extra step and show what the current value is and what it > needs to be to achieve what is being attempted. > > IOW combine error message with relevant documentation, to save steps. > > See what 'perf top' does for an unpriv user: > > $ perf top --stdio > Error: > Access to performance monitoring and observability operations is limited. > Enforced MAC policy settings (SELinux) can limit access to performance > monitoring and observability operations. Inspect system audit records for > more perf_event access control information and adjusting the policy. > Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open > access to performance monitoring and observability operations for processes > without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability. > More information can be found at 'Perf events and tool security' document: > https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html > perf_event_paranoid setting is 2: > -1: Allow use of (almost) all events by all users > Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK > >= 0: Disallow raw and ftrace function tracepoint access > >= 1: Disallow CPU event access > >= 2: Disallow kernel profiling > To make the adjusted perf_event_paranoid setting permanent preserve it > in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = ) Hmm, I would rather like pointing manpages... Would we better to have perf-security.7 manpage? Thank you, > $ > > - Arnaldo > > > > > > > > > Different combinations of privilege, perf_event_paranoid, kptr_restrict: > > > > > > Normal/Root user > > > | perf_event_paranoid > > > V V kptr_restrict perf probe error > > > ---------------------------------------------------------------- > > > N -1 0 Failed to open kprobe_events: Permission denied > > > N 0 0 Failed to open kprobe_events: Permission denied > > > N 1 0 Failed to open kprobe_events: Permission denied > > > N 2 0 Relocated base symbol is not found! > > > > > > N -1 1 Relocated base symbol is not found! > > > N 0 1 Relocated base symbol is not found! > > > N 1 1 Relocated base symbol is not found! > > > N 2 1 Relocated base symbol is not found! > > > > > > N -1 2 Relocated base symbol is not found! > > > N 0 2 Relocated base symbol is not found! > > > N 1 2 Relocated base symbol is not found! > > > N 2 2 Relocated base symbol is not found! > > > > > > R -1 0 No error. > > > R 0 0 No error. > > > R 1 0 No error. > > > R 2 0 No error. > > > > > > R -1 1 No error. > > > R 0 1 No error. > > > R 1 1 No error. > > > R 2 1 No error. > > > > > > R -1 2 Relocated base symbol is not found! > > > R 0 2 Relocated base symbol is not found! > > > R 1 2 Relocated base symbol is not found! > > > R 2 2 Relocated base symbol is not found! > > > > > > Ravi > > > > > > -- > > Masami Hiramatsu > > -- > > - Arnaldo -- Masami Hiramatsu