Running perf in namespaces and questions on its isolation

linux-perf-users.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: Arnaldo Carvalho de Melo <acme@kernel.org>,
	linux-perf-users@vger.kernel.org
Cc: Thomas-Mich Richter <tmricht@linux.vnet.ibm.com>,
	Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Subject: Running perf in namespaces and questions on its isolation
Date: Fri, 17 Nov 2017 16:32:24 +0100	[thread overview]
Message-ID: <20171117153224.GE4347@linux.vnet.ibm.com> (raw)

Hi Arnaldo, et al.,

I have just played around with running perf within a namespace. Beside an
issue with namespace copying for which I have already posted a patch, I
have a more general issue:

I created a (PID) namespace has been created by using:
"unshare --fork --pid --mount-proc /bin/bash".

Within the created PID namespace, a "perf record -a -e cpu-clock" session is
started.  While it runs, perform some commands outside of this namespace,
for example, df, find, cat.

Then, perf record is stopped and its report reads:

perf report --stdio --sort comm,pid
# To display the perf.data header info, please use --header/--header-only options.
#
#
# Total Lost Samples: 0
#
# Samples: 158K of event 'cpu-clock'
# Event count (approx.): 39529250000
#
# Overhead  Command      Pid:Command
# ........  .......  ...............
# 
    32.93%  df             0:df
    29.45%  find           0:find
    25.09%  swapper        0:swapper
    12.48%  cat            0:cat
     0.05%  perf          67:perf

According to this output, perf record receives PERF_RECORD_COMM events
of processes from outside its namespace.  The is also indicated by the
PID 0. (Processes that do not exist in a PID namespace (where perf record
ran) are translated to zero.  See also perf_event_pid() in
kernel/events/core.c).

I wonder whether this is the intended behavior or should better be fixed to
provide isolation among different namespace.  Further, with user stack
sampling, an namespace could also access stack information from processes
running in a different namespace.  That might result in an security issue.

So it would be great to know and understand what the correct behavior of
running perf within a namespace would be.

Thanks.

Kind regards,
  Hendrik

                 reply	other threads:[~2017-11-17 15:32 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171117153224.GE4347@linux.vnet.ibm.com \
    --to=brueckner@linux.vnet.ibm.com \
    --cc=acme@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=tmricht@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).