From: Prarit Bhargava <prarit@redhat.com>
To: Brian Gerst <brgerst@gmail.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
the arch/x86 maintainers <x86@kernel.org>,
Len Brown <len.brown@intel.com>,
Dasaratharaman Chandramouli
<dasaratharaman.chandramouli@intel.com>
Subject: Re: [PATCH] x86, msr: Allow read access to /dev/cpu/X/msr
Date: Fri, 26 Jun 2015 17:26:32 -0400 [thread overview]
Message-ID: <558DC388.5070602@redhat.com> (raw)
In-Reply-To: <CAMzpN2j-0s9kNzuCwa9n2ZbxcveK=72r-SP=Ofhu+4uY8Us=_A@mail.gmail.com>
On 06/26/2015 03:23 PM, Brian Gerst wrote:
> On Fri, Jun 26, 2015 at 1:52 PM, Prarit Bhargava <prarit@redhat.com> wrote:
>> Customers write system monitoring software for single systems as well as
>> clusters. In load-balancing software it is useful to know how "busy" a
>> core is. Unfortunately the only way to get this data is to run as root,
>> or use setcap to allow userspace access for particular programs. Both of
>> these options are clunky at best.
>>
>> This patch allows read access to the msr dev files which should be okay.
>> No damage can be done by reading the MSR values and it allows non-root
>> users to run system monitoring software.
>>
>> The turbostat code specifically checks for CAP_SYS_RAWIO, which it
>> shouldn't have to and I've removed that code. Additionally I've modified
>> the turbostat man page to remove documentation about configuring
>> CAP_SYS_RAW_IO.
>>
>> Note: Write access to msr is still restricted with this patch.
>
> Allowing unrestricted read access to all MSRs is wrong. Some MSRs
> contain addresses of kernel data structures, which can be used in
> security exploits.
>
> The proper way to do this is to write a driver to only expose the MSRs
> that the user tools need, and nothing else.
Will do -- At least I got everyone's attention with this :).
P.
>
> --
> Brian Gerst
>
next prev parent reply other threads:[~2015-06-26 21:26 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 17:52 [PATCH] x86, msr: Allow read access to /dev/cpu/X/msr Prarit Bhargava
2015-06-26 18:45 ` H. Peter Anvin
2015-06-26 19:23 ` Brian Gerst
2015-06-26 21:26 ` Prarit Bhargava [this message]
2015-06-28 15:13 ` Henrique de Moraes Holschuh
2015-06-27 8:33 ` Ingo Molnar
2015-06-27 8:39 ` Ingo Molnar
2015-06-27 15:52 ` Andy Lutomirski
2015-06-28 14:34 ` Prarit Bhargava
2015-06-28 15:10 ` Henrique de Moraes Holschuh
2015-06-29 6:42 ` Ingo Molnar
2015-06-29 10:58 ` Matt Fleming
2015-06-29 19:51 ` H. Peter Anvin
2015-06-30 12:20 ` Prarit Bhargava
2015-06-30 12:44 ` Peter Zijlstra
2015-06-30 12:57 ` Ingo Molnar
2015-06-30 13:23 ` Prarit Bhargava
2015-07-01 16:38 ` Brown, Len
2015-07-01 17:33 ` Andy Lutomirski
2015-07-02 9:15 ` Ingo Molnar
2015-07-02 19:22 ` H. Peter Anvin
2015-07-02 19:26 ` Andy Lutomirski
2015-07-03 7:42 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558DC388.5070602@redhat.com \
--to=prarit@redhat.com \
--cc=brgerst@gmail.com \
--cc=dasaratharaman.chandramouli@intel.com \
--cc=hpa@zytor.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.