[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081216130302.GA27678@elte.hu>
Date: Tue, 16 Dec 2008 14:03:02 +0100
From: Ingo Molnar <mingo@...e.hu>
To: Pavel Machek <pavel@...e.cz>
Cc: linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Stephane Eranian <eranian@...glemail.com>,
Eric Dumazet <dada1@...mosbay.com>,
Robert Richter <robert.richter@....com>,
Arjan van de Ven <arjan@...radead.org>,
Peter Anvin <hpa@...or.com>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Paul Mackerras <paulus@...ba.org>,
"David S. Miller" <davem@...emloft.net>,
perfctr-devel@...ts.sourceforge.net
Subject: Re: [patch] Performance Counters for Linux, v4
* Pavel Machek <pavel@...e.cz> wrote:
> On Tue 2008-12-16 13:50:00, Ingo Molnar wrote:
> >
> > * Pavel Machek <pavel@...e.cz> wrote:
> >
> > > Hmm, if I timec some setuid program, what happens?
> >
> > yes, i already had a quick look at that a few days ago when i implemented
> > counter inheritance (for different reasons) and couldnt find the cleanest
> > place to put the exec() flushing into so i procrastinated that a bit :)
> >
> > > Performance counters seem like great tool to pull secret keys out of
> > > other processes :-).
> >
> > if you worry about _that_ angle you also have to:
> >
> > - turn off the cycle counter
> >
> > - turn off precise utimes
>
> Probably good idea, yes.
>
> > - plus you have to forbid SMT CPUs as well. On HT a task could
> > co-schedule with your setuid task and observe its timing
> > characteristics via its _own_ behavior. (which is impacted by whatever
> > is running on another SMT/HT thread.)
>
> Yes, SMT is evil.
HT got added back to Nehalem, so SMT is coming to you in every future x86
CPU. It brings a serious performance win, so nobody will turn off SMT
threading in practice. If SMT worries you, it needs explicit partitioning
of security-relevant processing to different physical CPUs, via
cgroups/cpusets/etc.
> > the real exec() worry are: active, IRQ driven samples/events. Not possible
> > yet via the current iteration of counter inheritance (hence my
> > procrastination) - but it makes sense and that's why i was looking at the
> > exec() angle.
> >
> > and that will flush simple counters too, removing your theoretical attack
> > angle as well.
> >
> > So how about the patch below?
>
> Thanks!
>
> > Subject: perfcounters: flush on setuid exec
> > From: Ingo Molnar <mingo@...e.hu>
> > Date: Tue Dec 16 13:40:44 CET 2008
> >
> > Pavel Machek pointed out that performance counters should be flushed
> > when crossing protection domains on setuid execution.
> >
> > Reported-by: Pavel Machek <pavel@...e.cz>
> > Signed-off-by: Ingo Molnar <mingo@...e.hu>
>
> Acked-by: Pavel Machek <pavel@...e.cz>
find below the final commit, thanks Pavel.
Ingo
------------>
>From f65cb45cba63f249458b669aa67069eabc37b2f5 Mon Sep 17 00:00:00 2001
From: Ingo Molnar <mingo@...e.hu>
Date: Tue, 16 Dec 2008 13:40:44 +0100
Subject: [PATCH] perfcounters: flush on setuid exec
Pavel Machek pointed out that performance counters should be flushed
when crossing protection domains on setuid execution.
Reported-by: Pavel Machek <pavel@...e.cz>
Acked-by: Pavel Machek <pavel@...e.cz>
Signed-off-by: Ingo Molnar <mingo@...e.hu>
---
fs/exec.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index ec5df9a..d5165d8 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -33,6 +33,7 @@
#include <linux/string.h>
#include <linux/init.h>
#include <linux/pagemap.h>
+#include <linux/perf_counter.h>
#include <linux/highmem.h>
#include <linux/spinlock.h>
#include <linux/key.h>
@@ -1017,6 +1018,13 @@ int flush_old_exec(struct linux_binprm * bprm)
set_dumpable(current->mm, suid_dumpable);
}
+ /*
+ * Flush performance counters when crossing a
+ * security domain:
+ */
+ if (!get_dumpable(current->mm))
+ perf_counter_exit_task(current);
+
/* An exec changes our domain. We are no longer part of the thread
group */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists