Re: [PATCH] x86, msr: Allow read access to /dev/cpu/X/msr

[Brian Gerst]

On Fri, Jun 26, 2015 at 1:52 PM, Prarit Bhargava <prarit@xxxxxxxxxx> wrote:
> Customers write system monitoring software for single systems as well as
> clusters.  In load-balancing software it is useful to know how "busy" a
> core is.  Unfortunately the only way to get this data is to run as root,
> or use setcap to allow userspace access for particular programs.  Both of
> these options are clunky at best.
>
> This patch allows read access to the msr dev files which should be okay.
> No damage can be done by reading the MSR values and it allows non-root
> users to run system monitoring software.
>
> The turbostat code specifically checks for CAP_SYS_RAWIO, which it
> shouldn't have to and I've removed that code.  Additionally I've modified
> the turbostat man page to remove documentation about configuring
> CAP_SYS_RAW_IO.
>
> Note: Write access to msr is still restricted with this patch.

Allowing unrestricted read access to all MSRs is wrong.  Some MSRs
contain addresses of kernel data structures, which can be used in
security exploits.

The proper way to do this is to write a driver to only expose the MSRs
that the user tools need, and nothing else.

--
Brian Gerst
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/