| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150715124741.GL2859@worktop.programming.kicks-ass.net>
Date: Wed, 15 Jul 2015 14:47:41 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Aravinda Prasad <aravinda@...ux.vnet.ibm.com>
Cc: linux-kernel@...r.kernel.org, rostedt@...dmis.org,
mingo@...hat.com, paulus@...ba.org, acme@...nel.org,
hbathini@...ux.vnet.ibm.com, ananth@...ibm.com
Subject: Re: [RFC PATCH] perf: Container-aware tracing support
On Wed, Jul 15, 2015 at 02:38:36PM +0530, Aravinda Prasad wrote:
> Current tracing infrastructure such as perf and ftrace reports system
> wide data when invoked inside a container. It is required to restrict
> events specific to a container context when such tools are invoked
> inside a container.
>
> This RFC patch supports filtering container specific events, without
> any change in the user interface, when invoked within a container for
> the perf utility; such support needs to be extended to ftrace. This
> patch assumes that the debugfs is available within the container and
> all the processes running inside a container are grouped into a single
> perf_event subsystem of cgroups. This patch piggybacks on the existing
> support available for tracing with cgroups [1] by setting the cgrp
> member of the event structure to the cgroup of the context perf tool
> is invoked from.
>
> However, this patch is not complete and requires more work to fully
> support tracing inside a container. This patch is intended to initiate
> the discussion on having container-aware tracing support. A detailed
> explanation on what is supported and pending issues are mentioned
> below.
tracing is outside the scope of perf; I suspect you want tracefs to be
sensitive to filesystem namespaces and all that that entails.
> Cc: Hari Bathini <hbathini@...ux.vnet.ibm.com>
> Signed-off-by: Aravinda Prasad <aravinda@...ux.vnet.ibm.com>
> ---
> kernel/events/core.c | 49 +++++++++++++++++++++++++++++++++++--------------
> 1 file changed, 35 insertions(+), 14 deletions(-)
>
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 81aa3a4..f6a1f89 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -589,17 +589,38 @@ static inline int perf_cgroup_connect(int fd, struct perf_event *event,
> {
> struct perf_cgroup *cgrp;
> struct cgroup_subsys_state *css;
> - struct fd f = fdget(fd);
> + struct fd f;
> int ret = 0;
>
> - if (!f.file)
> - return -EBADF;
> + if (fd != -1) {
> + f = fdget(fd);
> + if (!f.file)
> + return -EBADF;
>
> - css = css_tryget_online_from_dir(f.file->f_path.dentry,
> + css = css_tryget_online_from_dir(f.file->f_path.dentry,
> &perf_event_cgrp_subsys);
> - if (IS_ERR(css)) {
> - ret = PTR_ERR(css);
> - goto out;
> + if (IS_ERR(css)) {
> + ret = PTR_ERR(css);
> + fdput(f);
> + return ret;
> + }
> + } else if (event->attach_state == PERF_ATTACH_TASK) {
> + /* Tracing on a PID. No need to set event->cgrp */
> + return ret;
> + } else if (task_active_pid_ns(current) != &init_pid_ns) {
Why the pid namespace?
> + /* Don't set event->cgrp if task belongs to root cgroup */
> + if (task_css_is_root(current, perf_event_cgrp_id))
> + return ret;
So if you have the root perf_cgroup inside your container you can
escape?
> +
> + css = task_css(current, perf_event_cgrp_id);
> + if (!css || !css_tryget_online(css))
> + return -ENOENT;
> + } else {
> + /*
> + * perf invoked from global context and hence don't set
> + * event->cgrp as all the events should be included
> + */
> + return ret;
> }
>
> cgrp = container_of(css, struct perf_cgroup, css);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists