Received: by 2002:ac0:c50a:0:0:0:0:0 with SMTP id y10csp1006330imi; Fri, 1 Jul 2022 00:31:48 -0700 (PDT) X-Google-Smtp-Source: AGRyM1shuAaZBECGPYUC4fvrAXVzOo/UmGGMoM7v34Z3q34u0Ac/H8mCazJ+0zfdRI/mDrcK4lp4 X-Received: by 2002:a63:1047:0:b0:40d:7553:d897 with SMTP id 7-20020a631047000000b0040d7553d897mr10931841pgq.485.1656660708069; Fri, 01 Jul 2022 00:31:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656660708; cv=none; d=google.com; s=arc-20160816; b=Jb5R8fZBH0Kr13AWw7uR2LMH7PDjRHYaK3rGzkCcMNAZ+8vrHmqdNwAsKZpCQEqsRr wRyEULtsxQ9hX1hZHX759vOudcI3Rc7AF8z5HBymJUjyGnXE00A2KhX0u2KyX4YzW3my 4l0v7rsUF3Uocmoln40kGrMUjAfjprmmYoGFX7rRw4BDM6hnWFrPVIN8UpkMT0n5HCBb b6rvP8ITxl67Yo9WLbNL3staBdqAESMVvVfDFl4vi5uCV0Vj3zoFOYUrwgzR1LpAUjuf LTy648Mh12pUarYgWa8NXE+pf6HToud1d+U96raJWMX/mGW6qs322LfzzQqo9Y7B7X8R uXMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=VyTvG0nZpiKqqFJ9BX6BLwtxO9D5XVglOyAvsmE8rxk=; b=m2DdTanmCx7FXQFQyP8p2ruQRG6oSzUE5125ztaofhwqfKgb0WNaQUGdeZkfXBMsL3 uhktF7AmBt9QNz0wlph+crqggwAAT1PIXXxYOVGsc/eoqfO+/PnJ0x9cV+0e/u9h349v oknzTDzoRhsqU79cwIsSKyz/oEURpcStV5RO+OnZFvC3a6G1rxHcSdqd0O6HaEpRznR+ or7nBnSwg4fNaXoakfJBtzDvm2HxYfhv4XX3QMiDGyva1qurq2+UrhkiwY6cC5WCu0tL lUq5RxYTNV2UnerO/qrhlKfNaWXxEnHOyO/ZSXSoznyNybSMhms/vGJD4fu++OtE+V+y nVAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q16-20020a170902f79000b0015827ec0073si30313734pln.452.2022.07.01.00.31.36; Fri, 01 Jul 2022 00:31:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233082AbiGAHWp (ORCPT + 99 others); Fri, 1 Jul 2022 03:22:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229689AbiGAHWm (ORCPT ); Fri, 1 Jul 2022 03:22:42 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9DA3C68A08 for ; Fri, 1 Jul 2022 00:22:41 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 92D481042; Fri, 1 Jul 2022 00:22:41 -0700 (PDT) Received: from [10.162.43.6] (unknown [10.162.43.6]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 67A143F792; Fri, 1 Jul 2022 00:22:39 -0700 (PDT) Message-ID: <54ea5d8c-74ad-c89a-929f-5d570ca351df@arm.com> Date: Fri, 1 Jul 2022 12:52:36 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: Regarding perfmon_capable() Content-Language: en-US To: Leo Yan Cc: "linux-kernel@vger.kernel.org" , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Mark Rutland References: <9be223fb-5803-b676-902a-28e1c168cd8a@arm.com> <20220701064732.GA659023@leoy-ThinkPad-X240s> From: Anshuman Khandual In-Reply-To: <20220701064732.GA659023@leoy-ThinkPad-X240s> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/1/22 12:17, Leo Yan wrote: > Hi Anshuman, > > On Fri, Jul 01, 2022 at 10:37:37AM +0530, Anshuman Khandual wrote: >> Hello, >> >> In perf event subsystem and related platform drivers registering a PMU, >> should perfmon_capable() be used directly ? OR just wondering if instead >> perf_allow_[cpu|kernel|tracepoint]() helpers should be used which also >> checks for 'sysctl_perf_event_paranoid' ? Should not both capabilities >> and 'sysctl_perf_event_paranoid' decide whether kernel/cpu/tracepoint >> events will be captured for unprivileged users. > > This is an interesting but important topic, let me join the discussion. > > Simply to say, sysctl_perf_event_paranoid is a control knob, > perfmon_capable() is for capabilities. perfmon_capable() only allows > privileged Perf users to access Perf events; on the other hand, > sysctl_perf_event_paranoid can grant green light for non-privileged > users to access perf events. Could not unprivileged users have capabilities too ? I thought that was the whole point for capabilities. > > Therefore, if we use function perf_allow_[cpu|kernel|tracepoint]() as > checking condition which is interfered by sysctl_perf_event_paranoid, > it's superset of perfmon_capable(). Right. IIUC sysctl_perf_event_paranoid was the original method for perf event to restrict access, where as capabilities is the new method. Hence both needs to be checked for compatibility purpose for the original one. > > On the other hand, even a Perf event can be opened by a non-privileged > process, the low level driver still doesn't want to leak any sensitive > info in the trace data or sampling. This is why Arm SPE driver checks Can/should low level PMU drivers enforce yet another layer of privilege check even after the core perf allowed the event to be created in the first place ? > the condition perfmon_capable() and disables CONTEXTIDR tracing for > non-privileged users (no matter what's the value of > sysctl_perf_event_paranoid). > > Just bear in mind for a corner case, some perf callback functions are > invoked from the kernel threads context rather than user process > context, this is why we might obeserve some strange cases that > non-privileged users might be wrongly granted some tracing > capabilities even we check with perfmon_capable() (Checking > perfmon_capable() is not wrong, but it's wrong to do the checking in > the kernel kthread context rather than user process context). Is not pmu->event_init() called in user process context itself. Why can not all privillege checking be done there and stored (if required) some where more platform specific e.g event->hw.config or any other platform data structure. Why should privilege gets checked in callbacks which might run in privilege contexts to create such corner cases ? > > This is my understanding, just correct me if any thing mentioned > is not reliable. > > Thanks, > Leo > >> arch/parisc/kernel/perf.c: if (!perfmon_capable()) >> arch/powerpc/perf/imc-pmu.c: if (!perfmon_capable()) >> arch/powerpc/perf/imc-pmu.c: if (!perfmon_capable()) >> drivers/gpu/drm/i915/i915_perf.c: i915_perf_stream_paranoid && !perfmon_capable()) { >> drivers/gpu/drm/i915/i915_perf.c: if (oa_freq_hz > i915_oa_max_sample_rate && !perfmon_capable()) { >> drivers/gpu/drm/i915/i915_perf.c: if (i915_perf_stream_paranoid && !perfmon_capable()) { >> drivers/gpu/drm/i915/i915_perf.c: if (i915_perf_stream_paranoid && !perfmon_capable()) { >> drivers/media/rc/bpf-lirc.c: if (perfmon_capable()) >> drivers/perf/arm_spe_pmu.c: if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && perfmon_capable()) >> drivers/perf/arm_spe_pmu.c: if (!perfmon_capable() && >> >> Although BPF might use perfmon_capabale() alone, because it was never >> dependent on 'sysctl_perf_event_paranoid' ? >> >> - Anshuman