Received: by 2002:ac0:c50a:0:0:0:0:0 with SMTP id y10csp995479imi; Fri, 1 Jul 2022 00:10:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vwpOn++iUaEOJ9MQhgBvqBA++UbI0rBcpzYucX7tajm3qhbguRt6Wx92s/Vtc15NHJRrEl X-Received: by 2002:a17:90b:2250:b0:1ec:e553:2851 with SMTP id hk16-20020a17090b225000b001ece5532851mr17470016pjb.76.1656659419397; Fri, 01 Jul 2022 00:10:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656659419; cv=none; d=google.com; s=arc-20160816; b=gctNqMHQn9Bo0sQiYEfcoHm42UHibmsc9kdHJEW0Qj21yOcpQwmmMiJ7ibC9gTk79n vdIu8Fo0sjjVDScg7YfiOskIvU1lrDMOhmf8blOkPl9qajRhxhqqWGhRVXT0Fiz5SpO4 S/AzYrfakIhMFQYMY1EFVgyr1EILZCQdk1IIbz0nWA1f2dysOPTzRtPNtMsh1wcKunjN OVeTcANxfXXfIALj9MZ/yYKborkiA8SJNZPYHitWmOrZnDOHemReWxlL8TnYzVwnIIzN qldHJc6WOHkz65RkeoFFUhTr5AbbdaTBF2H4km91PFwVyonSLF0OSP48wpGYVzZIu+4p i0yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=bLVC9it3gmaPHJbhg9kCZYOMzKfegXg+q16RKxyP15o=; b=MyBsaK7RCJlfOtdXiix3wQbq60lGrITXiESpGmDrn1DtfnaGZN8xhv7mRigMaA438O HqBq5d9R+qbiZxLgbet3BEjtR4zaWqHnWvvWZ+WBOcNUAVr79w0T2cfpSgYJJ/CCBS4y RIWKUce6nzIVPtgU7KiFcxPvXXZpyJNQtLYLCtq4mxy+SIbjyXXyT7k32Kba81Uqw/sB EzAGsmwYt4BEcrhVFtww8hRW/8GubOms+jCFswfm0PEVZYakoFoj5RrNdxTrxhkZnymg vjR0YrLCXPUGG3yix0MNcIqcs1CakpB6RBSYC50EAKAHslF3HaH4sQSbqU9p8HYlK4WH EdqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JMQ3v9F3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d81-20020a621d54000000b004fa3a8dffa5si796276pfd.92.2022.07.01.00.09.42; Fri, 01 Jul 2022 00:10:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JMQ3v9F3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234910AbiGAGrn (ORCPT + 99 others); Fri, 1 Jul 2022 02:47:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233921AbiGAGri (ORCPT ); Fri, 1 Jul 2022 02:47:38 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E96EF61D4D for ; Thu, 30 Jun 2022 23:47:37 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id m14so1516636plg.5 for ; Thu, 30 Jun 2022 23:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=bLVC9it3gmaPHJbhg9kCZYOMzKfegXg+q16RKxyP15o=; b=JMQ3v9F3Wkvf2R+Gg79xbs9iZfEor1A698jLijhIABV4Sc/5kejA5j2sKjbs9VeSWF Y7ubTAvpb3wBQiHW2cCkshkd14DL4mnt88ZkS/hNI15JpVfXKstFDyBDWmGZafFDkAuR 5vuTRKYNDw9YITuj6sX93J5CHn1dAheZ0+TIcAf8KCPJQDlcRXNbOy/gIvxAMRgRrRhP NO/VRDHbB/Xx1rDIIYak1ZbiXvcuTTxMt8Pp6+cg6QG8+ZGlXNKZRwac4YLO8D/kTPs8 tSgikzYINPGBU70IwRi5gRR1hbU8KsL44tBMucfOJvvu9woKQIh1Up8YNVAyZ8aQosl4 lHRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=bLVC9it3gmaPHJbhg9kCZYOMzKfegXg+q16RKxyP15o=; b=kE/seQs+9gX09cJWtlKMxHEN1sxUN8+O/Kd+Y/bpgwCjm40OBahL6hTE8a1hNwresl K0Q79OzzuV5I8C8uIbtsnML/gWJ3aElHGNguQB4r8nELu/0wDqpDiS/nMtekX5pt/CpE u8x4DZg1g3OFLFmIa70bQLRazbAaOyvCSVTLghTNcWMQuafktXKhGtQieu8vB6ij8+iW NPGsOgqFOS52YPZrK3NZztSZ4HrDSwRyiOyAljdU6mAK2f3hiRWXjXLpKKA1xs9rh0eY Y6rhAuPxDOH2rqE4dkZM7vG71lG4/RXuOJb1BU2KodkFSQTTXSGeiqDtC3IBAWFX1DK8 V9UQ== X-Gm-Message-State: AJIora9cvLKzyH7NJjJR71d12x/5QS+FRV4486n8GmqQHeekcjTxl/cY ZcDb08GT4zwyAoMFStRFGQr7EA== X-Received: by 2002:a17:902:ec8e:b0:16a:2d25:aa5b with SMTP id x14-20020a170902ec8e00b0016a2d25aa5bmr19512859plg.69.1656658057255; Thu, 30 Jun 2022 23:47:37 -0700 (PDT) Received: from leoy-ThinkPad-X240s (n058152077154.netvigator.com. [58.152.77.154]) by smtp.gmail.com with ESMTPSA id v14-20020aa7808e000000b00518e1251197sm15270706pff.148.2022.06.30.23.47.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 23:47:36 -0700 (PDT) Date: Fri, 1 Jul 2022 14:47:32 +0800 From: Leo Yan To: Anshuman Khandual Cc: "linux-kernel@vger.kernel.org" , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Mark Rutland Subject: Re: Regarding perfmon_capable() Message-ID: <20220701064732.GA659023@leoy-ThinkPad-X240s> References: <9be223fb-5803-b676-902a-28e1c168cd8a@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9be223fb-5803-b676-902a-28e1c168cd8a@arm.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Anshuman, On Fri, Jul 01, 2022 at 10:37:37AM +0530, Anshuman Khandual wrote: > Hello, > > In perf event subsystem and related platform drivers registering a PMU, > should perfmon_capable() be used directly ? OR just wondering if instead > perf_allow_[cpu|kernel|tracepoint]() helpers should be used which also > checks for 'sysctl_perf_event_paranoid' ? Should not both capabilities > and 'sysctl_perf_event_paranoid' decide whether kernel/cpu/tracepoint > events will be captured for unprivileged users. This is an interesting but important topic, let me join the discussion. Simply to say, sysctl_perf_event_paranoid is a control knob, perfmon_capable() is for capabilities. perfmon_capable() only allows privileged Perf users to access Perf events; on the other hand, sysctl_perf_event_paranoid can grant green light for non-privileged users to access perf events. Therefore, if we use function perf_allow_[cpu|kernel|tracepoint]() as checking condition which is interfered by sysctl_perf_event_paranoid, it's superset of perfmon_capable(). On the other hand, even a Perf event can be opened by a non-privileged process, the low level driver still doesn't want to leak any sensitive info in the trace data or sampling. This is why Arm SPE driver checks the condition perfmon_capable() and disables CONTEXTIDR tracing for non-privileged users (no matter what's the value of sysctl_perf_event_paranoid). Just bear in mind for a corner case, some perf callback functions are invoked from the kernel threads context rather than user process context, this is why we might obeserve some strange cases that non-privileged users might be wrongly granted some tracing capabilities even we check with perfmon_capable() (Checking perfmon_capable() is not wrong, but it's wrong to do the checking in the kernel kthread context rather than user process context). This is my understanding, just correct me if any thing mentioned is not reliable. Thanks, Leo > arch/parisc/kernel/perf.c: if (!perfmon_capable()) > arch/powerpc/perf/imc-pmu.c: if (!perfmon_capable()) > arch/powerpc/perf/imc-pmu.c: if (!perfmon_capable()) > drivers/gpu/drm/i915/i915_perf.c: i915_perf_stream_paranoid && !perfmon_capable()) { > drivers/gpu/drm/i915/i915_perf.c: if (oa_freq_hz > i915_oa_max_sample_rate && !perfmon_capable()) { > drivers/gpu/drm/i915/i915_perf.c: if (i915_perf_stream_paranoid && !perfmon_capable()) { > drivers/gpu/drm/i915/i915_perf.c: if (i915_perf_stream_paranoid && !perfmon_capable()) { > drivers/media/rc/bpf-lirc.c: if (perfmon_capable()) > drivers/perf/arm_spe_pmu.c: if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && perfmon_capable()) > drivers/perf/arm_spe_pmu.c: if (!perfmon_capable() && > > Although BPF might use perfmon_capabale() alone, because it was never > dependent on 'sysctl_perf_event_paranoid' ? > > - Anshuman