From patchwork Mon Nov 26 09:02:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Budankov X-Patchwork-Id: 10697843 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E65D113AD for ; Mon, 26 Nov 2018 09:02:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D127C297B0 for ; Mon, 26 Nov 2018 09:02:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BF36B297B5; Mon, 26 Nov 2018 09:02:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id B3626297B0 for ; Mon, 26 Nov 2018 09:02:42 +0000 (UTC) Received: (qmail 5384 invoked by uid 550); 26 Nov 2018 09:02:41 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5359 invoked from network); 26 Nov 2018 09:02:40 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,281,1539673200"; d="scan'208";a="107762323" Subject: [PATCH v3 1/2] Documentation/admin-guide: introduce perf-security.rst file From: Alexey Budankov To: Jonatan Corbet , Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" References: <6cfb235a-59bc-48f0-3425-59c5b6431b12@linux.intel.com> Organization: Intel Corp. Message-ID: Date: Mon, 26 Nov 2018 12:02:18 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <6cfb235a-59bc-48f0-3425-59c5b6431b12@linux.intel.com> Content-Language: en-US X-Virus-Scanned: ClamAV using ClamSMTP Implement initial version of perf-security.rst documentation file covering security concerns of perf_event_paranoid settings. Suggested-by: Thomas Gleixner Signed-off-by: Alexey Budankov --- Changes in v3: - toning down of the markup for "scope, access and resource" - adding definite article for "Linux implementation" Changes in v2: - reverted patches order in the set to avoid CI issue - replaced old PCL referencing by PE (Perf Events) - skipped >=3 setting documentation at the moment --- Documentation/admin-guide/perf-security.rst | 77 +++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 Documentation/admin-guide/perf-security.rst diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst new file mode 100644 index 000000000000..f0fb75cadaed --- /dev/null +++ b/Documentation/admin-guide/perf-security.rst @@ -0,0 +1,77 @@ +.. _perf_security: + +Perf Events and tool security +============================= + +Overview +-------- + +Usage of Performance Counters for Linux (perf_events) [1]_ , [2]_ , [3]_ can +impose a considerable risk of leaking sensitive data accessed by monitored +processes. The data leakage is possible both in scenarios of direct usage of +perf_events system call API [2]_ and over data files generated by Perf tool user +mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that +perf_events performance monitoring units (PMU) [2]_ collect and expose for +performance analysis. Having that said perf_events/Perf performance monitoring +is the subject for security access control management [5]_ . + +perf_events/Perf access control +------------------------------- + +For the purpose of performing security checks the Linux implementation splits +processes into two categories [6]_ : a) privileged processes (whose effective +user ID is 0, referred to as superuser or root), and b) unprivileged processes +(whose effective UID is nonzero). Privileged processes bypass all kernel +security permission checks so perf_events performance monitoring is fully +available to privileged processes without access, scope and resource +restrictions. Unprivileged processes are subject to full security permission +check based on the process's credentials [5]_ (usually: effective UID, effective +GID, and supplementary group list). + +perf_events/Perf unprivileged users +----------------------------------- + +perf_events/Perf *scope* and *access* control for unprivileged processes is +governed by perf_event_paranoid [2]_ setting: + +-1: + Impose no *scope* and *access* restrictions on using perf_events performance + monitoring. Per-user per-cpu perf_event_mlock_kb [2]_ locking limit is + ignored when allocating memory buffers for storing performance data. + This is the least secure mode since allowed monitored *scope* is + maximized and no perf_events specific limits are imposed on *resources* + allocated for performance monitoring. + +>=0: + *scope* includes per-process and system wide performance monitoring + but excludes raw tracepoints and ftrace function tracepoints monitoring. + CPU and system events happened when executing either in user or + in kernel space can be monitored and captured for later analysis. + Per-user per-cpu perf_event_mlock_kb locking limit is imposed but + ignored for unprivileged processes with CAP_IPC_LOCK [6]_ capability. + +>=1: + *scope* includes per-process performance monitoring only and excludes + system wide performance monitoring. CPU and system events happened when + executing either in user or in kernel space can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +>=2: + *scope* includes per-process performance monitoring only. CPU and system + events happened when executing in user space only can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +Bibliography +------------ + +.. [1] ``_ +.. [2] ``_ +.. [3] ``_ +.. [4] ``_ +.. [5] ``_ +.. [6] ``_ + From patchwork Mon Nov 26 09:03:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Budankov X-Patchwork-Id: 10697851 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B85DD15A7 for ; Mon, 26 Nov 2018 09:03:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2188288B4 for ; Mon, 26 Nov 2018 09:03:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 94A522884A; Mon, 26 Nov 2018 09:03:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id CB0F3286CF for ; Mon, 26 Nov 2018 09:03:32 +0000 (UTC) Received: (qmail 7530 invoked by uid 550); 26 Nov 2018 09:03:30 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7477 invoked from network); 26 Nov 2018 09:03:30 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,281,1539673200"; d="scan'208";a="103152425" Subject: [PATCH v3 2/2] Documentation/admin-guide: update admin-guide index.rst From: Alexey Budankov To: Jonatan Corbet , Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Arnaldo Carvalho de Melo , Andi Kleen Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" References: <6cfb235a-59bc-48f0-3425-59c5b6431b12@linux.intel.com> Organization: Intel Corp. Message-ID: Date: Mon, 26 Nov 2018 12:03:09 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <6cfb235a-59bc-48f0-3425-59c5b6431b12@linux.intel.com> Content-Language: en-US X-Virus-Scanned: ClamAV using ClamSMTP Extend index.rst index file at admin-guide root directory with the reference to perf-security.rst file being introduced. Signed-off-by: Alexey Budankov --- Documentation/admin-guide/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst index 965745d5fb9a..0a491676685e 100644 --- a/Documentation/admin-guide/index.rst +++ b/Documentation/admin-guide/index.rst @@ -76,6 +76,7 @@ configure specific aspects of kernel behavior to your liking. thunderbolt LSM/index mm/index + perf-security .. only:: subproject and html