Re: [patch] Performance Counters for Linux, v4

From: Pavel Machek
Date: Tue Dec 16 2008 - 07:57:44 EST

Next message: Hannes Eder: "[PATCH] HID: avoid sparse warning in HID_COMPAT_LOAD_DRIVER"
Previous message: Li Zefan: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
In reply to: Ingo Molnar: "Re: [patch] Performance Counters for Linux, v4"
Next in thread: Ingo Molnar: "Re: [patch] Performance Counters for Linux, v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue 2008-12-16 13:50:00, Ingo Molnar wrote:
>
> * Pavel Machek <pavel@xxxxxxx> wrote:
>
> > Hmm, if I timec some setuid program, what happens?
>
> yes, i already had a quick look at that a few days ago when i implemented
> counter inheritance (for different reasons) and couldnt find the cleanest
> place to put the exec() flushing into so i procrastinated that a bit :)
>
> > Performance counters seem like great tool to pull secret keys out of
> > other processes :-).
>
> if you worry about _that_ angle you also have to:
>
> - turn off the cycle counter
>
> - turn off precise utimes

Probably good idea, yes.

> - plus you have to forbid SMT CPUs as well. On HT a task could
> co-schedule with your setuid task and observe its timing
> characteristics via its _own_ behavior. (which is impacted by whatever
> is running on another SMT/HT thread.)

Yes, SMT is evil.

> the real exec() worry are: active, IRQ driven samples/events. Not possible
> yet via the current iteration of counter inheritance (hence my
> procrastination) - but it makes sense and that's why i was looking at the
> exec() angle.
>
> and that will flush simple counters too, removing your theoretical attack
> angle as well.
>
> So how about the patch below?

Thanks!

> Subject: perfcounters: flush on setuid exec
> From: Ingo Molnar <mingo@xxxxxxx>
> Date: Tue Dec 16 13:40:44 CET 2008
>
> Pavel Machek pointed out that performance counters should be flushed
> when crossing protection domains on setuid execution.
>
> Reported-by: Pavel Machek <pavel@xxxxxxx>
> Signed-off-by: Ingo Molnar <mingo@xxxxxxx>

Acked-by: Pavel Machek <pavel@xxxxxxx>

> @@ -1015,6 +1016,13 @@ int flush_old_exec(struct linux_binprm *
> set_dumpable(current->mm, suid_dumpable);
> }
>
> + /*
> + * Flush performance counters when crossing a
> + * security domain:
> + */
> + if (!get_dumpable(current->mm))
> + perf_counter_exit_task(current);
> +
> /* An exec changes our domain. We are no longer part of the thread
> group */
>

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Hannes Eder: "[PATCH] HID: avoid sparse warning in HID_COMPAT_LOAD_DRIVER"
Previous message: Li Zefan: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
In reply to: Ingo Molnar: "Re: [patch] Performance Counters for Linux, v4"
Next in thread: Ingo Molnar: "Re: [patch] Performance Counters for Linux, v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]