From: Kees Cook <keescook@chromium.org>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
Song Liu <song@kernel.org>,
Francis Laniel <flaniel@linux.microsoft.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v1 1/1] tracing/kprobe: Add multi-probe support for 'perf_kprobe' PMU
Date: Mon, 21 Aug 2023 11:07:58 -0700 [thread overview]
Message-ID: <202308211106.D2D2887@keescook> (raw)
In-Reply-To: <20230821104550.57d60a75@gandalf.local.home>
On Mon, Aug 21, 2023 at 10:45:50AM -0400, Steven Rostedt wrote:
> On Mon, 21 Aug 2023 19:01:52 +0900
> Masami Hiramatsu (Google) <mhiramat@kernel.org> wrote:
>
> > > kprobe BPF program has access to pt_regs, so it can read ip of the
> > > attached function. Can we do the same with regular kprobe (no bpf)?
> >
> > Yes, it can. So I think it is OK to expand CAP_PERFMON to access kallsyms.
> > But this means CAP_PERMON itself is not safe in some case.
>
> What are the privileges that CAP_PERFMON gives. I can see why Kees told me
> to avoid capabilities when looking at what has access to tracefs. Because
> it becomes very difficult to know what the privileges you are giving when
> you give out a capability. I just stick to normal ACL (file permissions)
> and everything is much easier and simpler to know what has access to what.
At the very least, having a fd-based "handle" for access work. But yeah,
capabilities get ugly quickly.
Anyway... what does CAP_PERFMON have access to right now? If it is
allowed to read arbitrary kernel memory, then resolving symbols is fine.
If it doesn't, then no, it shouldn't: it becomes a oracle for probing
symbol locations.
--
Kees Cook
next prev parent reply other threads:[~2023-08-21 18:08 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-16 16:35 [RFC PATCH v1 0/1] tracing/kprobe: Add multi-probe support for 'perf_kprobe' PMU Francis Laniel
2023-08-16 16:35 ` [RFC PATCH v1 1/1] " Francis Laniel
2023-08-16 18:42 ` Steven Rostedt
2023-08-17 10:59 ` Francis Laniel
2023-08-17 15:13 ` Steven Rostedt
2023-08-18 9:01 ` Francis Laniel
2023-08-18 12:37 ` Masami Hiramatsu
2023-08-18 15:41 ` Steven Rostedt
2023-08-18 18:13 ` Francis Laniel
2023-08-18 18:20 ` Steven Rostedt
2023-08-19 1:15 ` Masami Hiramatsu
2023-08-19 15:22 ` Song Liu
2023-08-20 9:32 ` Masami Hiramatsu
2023-08-20 10:02 ` Song Liu
2023-08-20 13:16 ` Masami Hiramatsu
2023-08-21 6:09 ` Song Liu
2023-08-21 10:01 ` Masami Hiramatsu
2023-08-21 14:45 ` Steven Rostedt
2023-08-21 18:07 ` Kees Cook [this message]
2023-08-21 14:29 ` Steven Rostedt
2023-08-21 15:19 ` Masami Hiramatsu
2023-08-21 15:28 ` Steven Rostedt
2023-08-17 7:50 ` Masami Hiramatsu
2023-08-17 11:06 ` Francis Laniel
2023-08-18 13:05 ` Masami Hiramatsu
2023-08-18 18:12 ` Francis Laniel
2023-08-19 1:11 ` Masami Hiramatsu
2023-08-20 20:23 ` Jiri Olsa
2023-08-21 12:22 ` Francis Laniel
2023-08-20 20:34 ` Jiri Olsa
2023-08-21 12:24 ` Francis Laniel
2023-08-22 13:13 ` Jiri Olsa
2023-08-21 12:55 ` Francis Laniel
2023-08-23 0:36 ` Masami Hiramatsu
2023-08-23 9:54 ` Francis Laniel
2023-08-23 13:45 ` Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308211106.D2D2887@keescook \
--to=keescook@chromium.org \
--cc=flaniel@linux.microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox