Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757124AbYLPNDd (ORCPT ); Tue, 16 Dec 2008 08:03:33 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754848AbYLPNDY (ORCPT ); Tue, 16 Dec 2008 08:03:24 -0500 Received: from mx3.mail.elte.hu ([157.181.1.138]:45490 "EHLO mx3.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754487AbYLPNDY (ORCPT ); Tue, 16 Dec 2008 08:03:24 -0500 Date: Tue, 16 Dec 2008 14:03:02 +0100 From: Ingo Molnar To: Pavel Machek Cc: linux-kernel@vger.kernel.org, Thomas Gleixner , Andrew Morton , Stephane Eranian , Eric Dumazet , Robert Richter , Arjan van de Ven , Peter Anvin , Peter Zijlstra , Paul Mackerras , "David S. Miller" , perfctr-devel@lists.sourceforge.net Subject: Re: [patch] Performance Counters for Linux, v4 Message-ID: <20081216130302.GA27678@elte.hu> References: <20081214212829.GA9435@elte.hu> <20081216122229.GA1430@ucw.cz> <20081216125000.GC25019@elte.hu> <20081216125720.GC1684@ucw.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081216125720.GC1684@ucw.cz> User-Agent: Mutt/1.5.18 (2008-05-17) X-ELTE-VirusStatus: clean X-ELTE-SpamScore: -1.5 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-1.5 required=5.9 tests=BAYES_00 autolearn=no SpamAssassin version=3.2.3 -1.5 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3611 Lines: 112 * Pavel Machek wrote: > On Tue 2008-12-16 13:50:00, Ingo Molnar wrote: > > > > * Pavel Machek wrote: > > > > > Hmm, if I timec some setuid program, what happens? > > > > yes, i already had a quick look at that a few days ago when i implemented > > counter inheritance (for different reasons) and couldnt find the cleanest > > place to put the exec() flushing into so i procrastinated that a bit :) > > > > > Performance counters seem like great tool to pull secret keys out of > > > other processes :-). > > > > if you worry about _that_ angle you also have to: > > > > - turn off the cycle counter > > > > - turn off precise utimes > > Probably good idea, yes. > > > - plus you have to forbid SMT CPUs as well. On HT a task could > > co-schedule with your setuid task and observe its timing > > characteristics via its _own_ behavior. (which is impacted by whatever > > is running on another SMT/HT thread.) > > Yes, SMT is evil. HT got added back to Nehalem, so SMT is coming to you in every future x86 CPU. It brings a serious performance win, so nobody will turn off SMT threading in practice. If SMT worries you, it needs explicit partitioning of security-relevant processing to different physical CPUs, via cgroups/cpusets/etc. > > the real exec() worry are: active, IRQ driven samples/events. Not possible > > yet via the current iteration of counter inheritance (hence my > > procrastination) - but it makes sense and that's why i was looking at the > > exec() angle. > > > > and that will flush simple counters too, removing your theoretical attack > > angle as well. > > > > So how about the patch below? > > Thanks! > > > Subject: perfcounters: flush on setuid exec > > From: Ingo Molnar > > Date: Tue Dec 16 13:40:44 CET 2008 > > > > Pavel Machek pointed out that performance counters should be flushed > > when crossing protection domains on setuid execution. > > > > Reported-by: Pavel Machek > > Signed-off-by: Ingo Molnar > > Acked-by: Pavel Machek find below the final commit, thanks Pavel. Ingo ------------> >From f65cb45cba63f249458b669aa67069eabc37b2f5 Mon Sep 17 00:00:00 2001 From: Ingo Molnar Date: Tue, 16 Dec 2008 13:40:44 +0100 Subject: [PATCH] perfcounters: flush on setuid exec Pavel Machek pointed out that performance counters should be flushed when crossing protection domains on setuid execution. Reported-by: Pavel Machek Acked-by: Pavel Machek Signed-off-by: Ingo Molnar --- fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index ec5df9a..d5165d8 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -1017,6 +1018,13 @@ int flush_old_exec(struct linux_binprm * bprm) set_dumpable(current->mm, suid_dumpable); } + /* + * Flush performance counters when crossing a + * security domain: + */ + if (!get_dumpable(current->mm)) + perf_counter_exit_task(current); + /* An exec changes our domain. We are no longer part of the thread group */ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/