From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Jeff Vander Stoep <jeffv@google.com>,
kernel-hardening@lists.openwall.com, mingo@redhat.com,
alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open
Date: Tue, 2 Aug 2016 10:04:57 -0300 [thread overview]
Message-ID: <20160802130457.GD26514@kernel.org> (raw)
In-Reply-To: <20160802095243.GD6862@twins.programming.kicks-ass.net>
Em Tue, Aug 02, 2016 at 11:52:43AM +0200, Peter Zijlstra escreveu:
> On Wed, Jul 27, 2016 at 07:45:46AM -0700, Jeff Vander Stoep wrote:
> > When kernel.perf_event_paranoid is set to 3 (or greater), disallow
> > all access to performance events by users without CAP_SYS_ADMIN.
> > This new level of restriction is intended to reduce the attack
> > surface of the kernel. Perf is a valuable tool for developers but
> > is generally unnecessary and unused on production systems. Perf may
> > open up an attack vector to vulnerable device-specific drivers as
> > recently demonstrated in CVE-2016-0805, CVE-2016-0819,
> > CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843.
> We have bugs we fix them, we don't kill complete infrastructure because
> of them.
> > This new level of
> > restriction allows for a safe default to be set on production systems
> > while leaving a simple means for developers to grant access [1].
> So the problem I have with this is that it will completely inhibit
> development of things like JITs that self-profile to re-compile
> frequently used code.
Or reimplement strace with sys_perf_event_open(), speeding it up greatly
by not using ptrace (see 'perf trace', one such attempt), combining it
with sys_bpf(), which can run unpriviledged as well, provides lots of
possibilities for efficient tooling that would be greatly stiffled by
such big hammer restrictions :-(
> I would much rather have an LSM hook where the security stuff can do
> more fine grained control of things. Allowing some apps perf usage while
> denying others.
- Arnaldo
WARNING: multiple messages have this Message-ID (diff)
From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Jeff Vander Stoep <jeffv@google.com>,
kernel-hardening@lists.openwall.com, mingo@redhat.com,
alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open
Date: Tue, 2 Aug 2016 10:04:57 -0300 [thread overview]
Message-ID: <20160802130457.GD26514@kernel.org> (raw)
In-Reply-To: <20160802095243.GD6862@twins.programming.kicks-ass.net>
Em Tue, Aug 02, 2016 at 11:52:43AM +0200, Peter Zijlstra escreveu:
> On Wed, Jul 27, 2016 at 07:45:46AM -0700, Jeff Vander Stoep wrote:
> > When kernel.perf_event_paranoid is set to 3 (or greater), disallow
> > all access to performance events by users without CAP_SYS_ADMIN.
> > This new level of restriction is intended to reduce the attack
> > surface of the kernel. Perf is a valuable tool for developers but
> > is generally unnecessary and unused on production systems. Perf may
> > open up an attack vector to vulnerable device-specific drivers as
> > recently demonstrated in CVE-2016-0805, CVE-2016-0819,
> > CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843.
> We have bugs we fix them, we don't kill complete infrastructure because
> of them.
> > This new level of
> > restriction allows for a safe default to be set on production systems
> > while leaving a simple means for developers to grant access [1].
> So the problem I have with this is that it will completely inhibit
> development of things like JITs that self-profile to re-compile
> frequently used code.
Or reimplement strace with sys_perf_event_open(), speeding it up greatly
by not using ptrace (see 'perf trace', one such attempt), combining it
with sys_bpf(), which can run unpriviledged as well, provides lots of
possibilities for efficient tooling that would be greatly stiffled by
such big hammer restrictions :-(
> I would much rather have an LSM hook where the security stuff can do
> more fine grained control of things. Allowing some apps perf usage while
> denying others.
- Arnaldo
next prev parent reply other threads:[~2016-08-02 13:04 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 14:45 [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open Jeff Vander Stoep
2016-07-27 14:45 ` Jeff Vander Stoep
2016-07-27 20:43 ` [kernel-hardening] " Kees Cook
2016-08-02 9:52 ` [kernel-hardening] " Peter Zijlstra
2016-08-02 9:52 ` Peter Zijlstra
2016-08-02 13:04 ` Arnaldo Carvalho de Melo [this message]
2016-08-02 13:04 ` Arnaldo Carvalho de Melo
2016-08-02 13:10 ` [kernel-hardening] " Daniel Micay
2016-08-02 13:16 ` Daniel Micay
2016-08-02 19:04 ` Kees Cook
2016-08-02 20:30 ` Peter Zijlstra
2016-08-02 20:51 ` Kees Cook
2016-08-02 21:06 ` Jeffrey Vander Stoep
2016-08-03 8:28 ` Ingo Molnar
2016-08-03 12:28 ` Daniel Micay
2016-08-03 12:53 ` Daniel Micay
2016-08-03 13:36 ` Peter Zijlstra
2016-08-03 14:41 ` Peter Zijlstra
2016-08-03 15:42 ` Schaufler, Casey
2016-08-03 17:25 ` Eric W. Biederman
2016-08-03 17:25 ` Eric W. Biederman
2016-08-03 18:53 ` Kees Cook
2016-08-03 21:44 ` Peter Zijlstra
2016-08-04 2:50 ` Eric W. Biederman
2016-08-04 2:50 ` Eric W. Biederman
2016-08-04 9:11 ` Peter Zijlstra
2016-08-04 15:13 ` Eric W. Biederman
2016-08-04 15:13 ` Eric W. Biederman
2016-08-04 15:37 ` Peter Zijlstra
2016-08-03 19:36 ` Daniel Micay
2016-08-04 10:28 ` Mark Rutland
2016-08-04 13:45 ` Daniel Micay
2016-08-04 14:11 ` Peter Zijlstra
2016-08-04 15:44 ` Daniel Micay
2016-08-04 15:55 ` Peter Zijlstra
2016-08-04 16:10 ` Mark Rutland
2016-08-04 16:32 ` Daniel Micay
2016-08-04 17:09 ` Mark Rutland
2016-08-04 17:36 ` Daniel Micay
2016-08-02 21:16 ` Jeffrey Vander Stoep
2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland
2016-10-17 14:54 ` Daniel Micay
2016-10-19 9:41 ` Mark Rutland
2016-10-19 15:16 ` Daniel Micay
2016-10-18 20:48 ` Kees Cook
2016-10-18 21:15 ` Daniel Micay
2016-10-19 9:56 ` Mark Rutland
2016-10-19 10:01 ` Peter Zijlstra
2016-10-19 10:26 ` Arnaldo Carvalho de Melo
2016-10-19 10:40 ` Peter Zijlstra
2016-10-19 15:39 ` Daniel Micay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160802130457.GD26514@kernel.org \
--to=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=jeffv@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.