From patchwork Wed Nov 21 09:14:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Budankov X-Patchwork-Id: 10692159 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EB3E013BB for ; Wed, 21 Nov 2018 09:14:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBA952B6C7 for ; Wed, 21 Nov 2018 09:14:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BF39C2B704; Wed, 21 Nov 2018 09:14:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 9E3922B6C7 for ; Wed, 21 Nov 2018 09:14:34 +0000 (UTC) Received: (qmail 22456 invoked by uid 550); 21 Nov 2018 09:14:33 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 22438 invoked from network); 21 Nov 2018 09:14:32 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,260,1539673200"; d="scan'208";a="93752038" Subject: [PATCH v2 1/2] Documentation/admin-guide: introduce perf-security.rst file From: Alexey Budankov To: Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen , Jonatan Corbet Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" References: <259a9cd2-5c56-4f8d-57c4-cabaeaa774bc@linux.intel.com> Organization: Intel Corp. Message-ID: <4d95341d-d1f4-fc48-f173-a6fedfc70d33@linux.intel.com> Date: Wed, 21 Nov 2018 12:14:14 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <259a9cd2-5c56-4f8d-57c4-cabaeaa774bc@linux.intel.com> Content-Language: en-US X-Virus-Scanned: ClamAV using ClamSMTP Implement initial version of perf-security.rst documentation file initially covering security concerns related to perf_events/Perf performance monitoring in multiuser environments. Suggested-by: Thomas Gleixner Signed-off-by: Alexey Budankov --- Changes in v2: - replaced PCL referencing by perf_events - skipped >=3 setting documentation at the moment --- Documentation/admin-guide/perf-security.rst | 77 +++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 Documentation/admin-guide/perf-security.rst diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst new file mode 100644 index 000000000000..55ccd9394809 --- /dev/null +++ b/Documentation/admin-guide/perf-security.rst @@ -0,0 +1,77 @@ +.. _perf_security: + +Perf Events and tool security +============================= + +Overview +-------- + +Usage of Performance Counters for Linux (perf_events) [1]_ , [2]_ , [3]_ can +impose a considerable risk of leaking sensitive data accessed by monitored +processes. The data leakage is possible both in scenarios of direct usage of +perf_events system call API [2]_ and over data files generated by Perf tool user +mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that +perf_events performance monitoring units (PMU) [2]_ collect and expose for +performance analysis. Having that said perf_events/Perf performance monitoring +is the subject for security access control management [5]_ . + +perf_events/Perf access control +------------------------------- + +For the purpose of performing security checks Linux implementation splits +processes into two categories [6]_ : a) privileged processes (whose effective +user ID is 0, referred to as superuser or root), and b) unprivileged processes +(whose effective UID is nonzero). Privileged processes bypass all kernel +security permission checks so perf_events performance monitoring is fully +available to privileged processes without *access*, *scope* and *resource* +restrictions. Unprivileged processes are subject to full security permission +check based on the process's credentials [5]_ (usually: effective UID, effective +GID, and supplementary group list). + +perf_events/Perf unprivileged users +-------------------------- + +perf_events/Perf *scope* and *access* control for unprivileged processes is +governed by perf_event_paranoid [2]_ setting: + +-1: + Impose no *scope* and *access* restrictions on using perf_events performance + monitoring. Per-user per-cpu perf_event_mlock_kb [2]_ locking limit is + ignored when allocating memory buffers for storing performance data. + This is the least secure mode since allowed monitored *scope* is + maximized and no perf_events specific limits are imposed on *resources* + allocated for performance monitoring. + +>=0: + *scope* includes per-process and system wide performance monitoring + but excludes raw tracepoints and ftrace function tracepoints monitoring. + CPU and system events happened when executing either in user or + in kernel space can be monitored and captured for later analysis. + Per-user per-cpu perf_event_mlock_kb locking limit is imposed but + ignored for unprivileged processes with CAP_IPC_LOCK [6]_ capability. + +>=1: + *scope* includes per-process performance monitoring only and excludes + system wide performance monitoring. CPU and system events happened when + executing either in user or in kernel space can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +>=2: + *scope* includes per-process performance monitoring only. CPU and system + events happened when executing in user space only can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +Bibliography +------------ + +.. [1] ``_ +.. [2] ``_ +.. [3] ``_ +.. [4] ``_ +.. [5] ``_ +.. [6] ``_ + From patchwork Wed Nov 21 09:15:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Budankov X-Patchwork-Id: 10692161 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 12EAA1709 for ; Wed, 21 Nov 2018 09:15:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F23EC2B71C for ; Wed, 21 Nov 2018 09:15:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E17FC2B742; Wed, 21 Nov 2018 09:15:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 255482B71C for ; Wed, 21 Nov 2018 09:15:30 +0000 (UTC) Received: (qmail 24439 invoked by uid 550); 21 Nov 2018 09:15:29 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 24418 invoked from network); 21 Nov 2018 09:15:29 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,260,1539673200"; d="scan'208";a="101990104" Subject: [PATCH v2 2/2] Documentation/admin-guide: update admin-guide index.rst From: Alexey Budankov To: Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen , Jonatan Corbet Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" References: <259a9cd2-5c56-4f8d-57c4-cabaeaa774bc@linux.intel.com> Organization: Intel Corp. Message-ID: <8b37e342-2276-d68a-f770-4e608f96a574@linux.intel.com> Date: Wed, 21 Nov 2018 12:15:11 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <259a9cd2-5c56-4f8d-57c4-cabaeaa774bc@linux.intel.com> Content-Language: en-US X-Virus-Scanned: ClamAV using ClamSMTP Extend index.rst index file at admin-guide root directory with the reference to perf-security.rst file being introduced. Signed-off-by: Alexey Budankov --- Documentation/admin-guide/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst index 965745d5fb9a..0a491676685e 100644 --- a/Documentation/admin-guide/index.rst +++ b/Documentation/admin-guide/index.rst @@ -76,6 +76,7 @@ configure specific aspects of kernel behavior to your liking. thunderbolt LSM/index mm/index + perf-security .. only:: subproject and html