Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Jul 21, 2020 at 04:06:34PM +0300, Alexey Budankov escreveu: > > On 13.07.2020 21:51, Arnaldo Carvalho de Melo wrote: > > Em Mon, Jul 13, 2020 at 03:37:51PM +0300, Alexey Budankov escreveu: > >> > >> On 13.07.2020 15:17, Arnaldo Carvalho de Melo wrote: >

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Jul 14, 2020 at 12:59:34PM +0200, Peter Zijlstra escreveu: > On Mon, Jul 13, 2020 at 03:51:52PM -0300, Arnaldo Carvalho de Melo wrote: > > > > > diff --git a/kernel/events/core.c b/kernel/events/core.c > > > > index 856d98c36f56..a2397f724c10 100644 >

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Mon, Jul 13, 2020 at 03:37:51PM +0300, Alexey Budankov escreveu: > > On 13.07.2020 15:17, Arnaldo Carvalho de Melo wrote: > > Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu: > >> > >> On 10.07.2020 20:09, Arnaldo Carvalho de Melo wrote: >

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu: > > On 10.07.2020 20:09, Arnaldo Carvalho de Melo wrote: > > Em Fri, Jul 10, 2020 at 05:30:50PM +0300, Alexey Budankov escreveu: > >> On 10.07.2020 16:31, Ravi Bangoria wrote: > >>>> Currently

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Fri, Jul 10, 2020 at 05:30:50PM +0300, Alexey Budankov escreveu: > On 10.07.2020 16:31, Ravi Bangoria wrote: > >> Currently access to perf_events, i915_perf and other performance > >> monitoring and observability subsystems of the kernel is open only for > >> a privileged process [1] with CAP_SY

[Intel-gfx] [PATCH 13/60] drivers/perf: Open access for CAP_PERFMON privileged process

: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/4ec1d6f7-548c-8d1c-f84a-cebeb9674...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- drivers/perf/arm_spe_pmu.c | 4 ++-- 1

[Intel-gfx] [PATCH 10/60] trace/bpf_trace: Open access for CAP_PERFMON privileged process

@lists.freedesktop.org Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/c0a0ae47-8b6e-ff3e-416b-3cd1faaf7...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- kernel/trace/bpf_trace.c | 2

[Intel-gfx] [PATCH 07/60] perf/core: open access to probes for CAP_PERFMON privileged process

capability. Signed-off-by: Alexey Budankov Reviewed-by: James Morris Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Serge Hallyn Cc: Song Liu Cc: Stephane Eranian Cc: Thomas Gleixner Cc

[Intel-gfx] [PATCH 06/60] perf/core: Open access to the core for CAP_PERFMON privileged process

perf_events monitoring is discouraged with respect to CAP_PERFMON capability. Signed-off-by: Alexey Budankov Reviewed-by: James Morris Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: linux-...@vger.kernel.org Cc: Namhyung Kim Cc: Peter

[Intel-gfx] [PATCH 11/60] powerpc/perf: open access for CAP_PERFMON privileged process

Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/ac98cd9f-b59e-673c-c70d-180b3e769...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- arch/powerpc/perf/imc-pmu.c | 4

[Intel-gfx] [PATCH 14/60] drivers/oprofile: Open access for CAP_PERFMON privileged process

Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/691f1096-b15f-9b12-50a0-c2b939181...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- drivers/oprofile/event_buffer.c | 2 +- 1 file changed, 1

[Intel-gfx] [PATCH 16/60] doc/admin-guide: update kernel.rst with CAP_PERFMON information

...@vger.kernel.org Link: http://lore.kernel.org/lkml/84c32383-14a2-fa35-16b6-f9e59bd37...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- Documentation/admin-guide/sysctl/kernel.rst | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide

[Intel-gfx] [PATCH 08/60] perf tools: Support CAP_PERFMON capability

dankov Reviewed-by: James Morris Acked-by: Jiri Olsa Acked-by: Namhyung Kim Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Peter Zijlstra Cc: Serge Hallyn Cc: Song Liu Cc: Stephane Eranian Cc: Thomas Gleixner Cc: intel-gfx@lists.freedeskt

[Intel-gfx] [PATCH 09/60] drm/i915/perf: Open access for CAP_PERFMON privileged process

: intel-gfx@lists.freedesktop.org Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/e3e3292f-f765-ea98-e59c-fbe2db93f...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo

[Intel-gfx] [PATCH 15/60] doc/admin-guide: Update perf-security.rst with CAP_PERFMON information

; event, even tho a cap_perfmon capable perf binary can get kernel samples, to workaround that just use, e.g.: # perf top -e cycles # perf record -e cycles And it will sample kernel and user modes. Signed-off-by: Alexey Budankov Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoit

[Intel-gfx] [PATCH 12/60] parisc/perf: open access for CAP_PERFMON privileged process

: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/8cc98809-d35b-de0f-de02-4cf554f3c...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- arch/parisc/kernel/perf.c | 2 +- 1

[Intel-gfx] [PATCH 05/60] capabilities: Introduce CAP_PERFMON to kernel and user space

E. Hallyn Acked-by: Song Liu Acked-by: Stephen Smalley Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: intel-gfx@lists.freedesktop.org

[Intel-gfx] [PATCH 05/26] capabilities: Introduce CAP_PERFMON to kernel and user space

E. Hallyn Acked-by: Song Liu Acked-by: Stephen Smalley Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: intel-gfx@lists.freedesktop.org

[Intel-gfx] [PATCH 11/26] powerpc/perf: open access for CAP_PERFMON privileged process

Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/ac98cd9f-b59e-673c-c70d-180b3e769...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- arch/powerpc/perf/imc-pmu.c | 4

[Intel-gfx] [PATCH 16/26] doc/admin-guide: update kernel.rst with CAP_PERFMON information

...@vger.kernel.org Link: http://lore.kernel.org/lkml/84c32383-14a2-fa35-16b6-f9e59bd37...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- Documentation/admin-guide/sysctl/kernel.rst | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide

[Intel-gfx] [PATCH 09/26] drm/i915/perf: Open access for CAP_PERFMON privileged process

: intel-gfx@lists.freedesktop.org Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/e3e3292f-f765-ea98-e59c-fbe2db93f...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo

[Intel-gfx] [PATCH 14/26] drivers/oprofile: Open access for CAP_PERFMON privileged process

Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/691f1096-b15f-9b12-50a0-c2b939181...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- drivers/oprofile/event_buffer.c | 2 +- 1 file changed, 1

[Intel-gfx] [PATCH 10/26] trace/bpf_trace: Open access for CAP_PERFMON privileged process

@lists.freedesktop.org Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/c0a0ae47-8b6e-ff3e-416b-3cd1faaf7...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- kernel/trace/bpf_trace.c | 2

[Intel-gfx] [PATCH 07/26] perf/core: open access to probes for CAP_PERFMON privileged process

capability. Signed-off-by: Alexey Budankov Reviewed-by: James Morris Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Serge Hallyn Cc: Song Liu Cc: Stephane Eranian Cc: Thomas Gleixner Cc

[Intel-gfx] [PATCH 06/26] perf/core: Open access to the core for CAP_PERFMON privileged process

perf_events monitoring is discouraged with respect to CAP_PERFMON capability. Signed-off-by: Alexey Budankov Reviewed-by: James Morris Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: linux-...@vger.kernel.org Cc: Namhyung Kim Cc: Peter

[Intel-gfx] [PATCH 15/26] doc/admin-guide: Update perf-security.rst with CAP_PERFMON information

; event, even tho a cap_perfmon capable perf binary can get kernel samples, to workaround that just use, e.g.: # perf top -e cycles # perf record -e cycles And it will sample kernel and user modes. Signed-off-by: Alexey Budankov Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoit

[Intel-gfx] [PATCH 08/26] perf tools: Support CAP_PERFMON capability

dankov Reviewed-by: James Morris Acked-by: Jiri Olsa Acked-by: Namhyung Kim Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Peter Zijlstra Cc: Serge Hallyn Cc: Song Liu Cc: Stephane Eranian Cc: Thomas Gleixner Cc: intel-gfx@lists.freedeskt

[Intel-gfx] [PATCH 13/26] drivers/perf: Open access for CAP_PERFMON privileged process

: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/4ec1d6f7-548c-8d1c-f84a-cebeb9674...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- drivers/perf/arm_spe_pmu.c | 4 ++-- 1

[Intel-gfx] [PATCH 12/26] parisc/perf: open access for CAP_PERFMON privileged process

: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org Link: http://lore.kernel.org/lkml/8cc98809-d35b-de0f-de02-4cf554f3c...@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- arch/parisc/kernel/perf.c | 2 +- 1

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 07:52:56PM +0300, Alexey Budankov escreveu: > > On 07.04.2020 19:36, Arnaldo Carvalho de Melo wrote: > > Em Tue, Apr 07, 2020 at 05:54:27PM +0300, Alexey Budankov escreveu: > >> Could makes sense adding cap_ipc_lock to the binary to isolate from this

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 01:56:43PM -0300, Arnaldo Carvalho de Melo escreveu: > > But then, even with that attr.exclude_kernel set to 1 we _still_ get > kernel samples, which looks like another bug, now trying with strace, > which leads us to another rabbit hole: > > [perf@

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 01:36:54PM -0300, Arnaldo Carvalho de Melo escreveu: > Em Tue, Apr 07, 2020 at 05:54:27PM +0300, Alexey Budankov escreveu: > > On 07.04.2020 17:35, Arnaldo Carvalho de Melo wrote: > > > Em Tue, Apr 07, 2020 at 11:30:14AM -0300, Arnaldo Carvalho de Me

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Thu, Apr 02, 2020 at 11:42:05AM +0300, Alexey Budankov escreveu: > This patch set introduces CAP_PERFMON capability designed to secure > system performance monitoring and observability operations so that > CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role > for performance

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 11:30:14AM -0300, Arnaldo Carvalho de Melo escreveu: > [perf@five ~]$ type perf > perf is hashed (/home/perf/bin/perf) > [perf@five ~]$ getcap /home/perf/bin/perf > /home/perf/bin/perf = cap_sys_ptrace,cap_syslog,38+ep > [perf@five ~]$ groups > perf perf_

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 01:36:54PM -0300, Arnaldo Carvalho de Melo escreveu: > Em Tue, Apr 07, 2020 at 05:54:27PM +0300, Alexey Budankov escreveu: > > On 07.04.2020 17:35, Arnaldo Carvalho de Melo wrote: > > > Em Tue, Apr 07, 2020 at 11:30:14AM -0300, Arnaldo Carvalho de Me

Re: [Intel-gfx] [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

Em Tue, Apr 07, 2020 at 05:54:27PM +0300, Alexey Budankov escreveu: > On 07.04.2020 17:35, Arnaldo Carvalho de Melo wrote: > > Em Tue, Apr 07, 2020 at 11:30:14AM -0300, Arnaldo Carvalho de Melo escreveu: > >> [perf@five ~]$ type perf > >> perf is hashed (/home/per

Re: [Intel-gfx] [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information

Em Sun, Apr 05, 2020 at 05:54:37PM +0300, Alexey Budankov escreveu: > > On 05.04.2020 17:41, Alexey Budankov wrote: > > > > On 05.04.2020 17:10, Arnaldo Carvalho de Melo wrote: > >> Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu: > >>>

Re: [Intel-gfx] [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information

Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu: > > Update kernel.rst documentation file with the information > related to usage of CAP_PERFMON capability to secure performance > monitoring and observability operations in system. This one is failing in my perf/core branch, ple

Re: [Intel-gfx] [PATCH v4 2/9] perf/core: open access for CAP_SYS_PERFMON privileged process

Em Sat, Jan 11, 2020 at 12:52:13AM +0900, Masami Hiramatsu escreveu: > On Fri, 10 Jan 2020 15:02:34 +0100 Peter Zijlstra > wrote: > > Again, this only allows attaching to previously created kprobes, it does > > not allow creating kprobes, right? > > That is; I don't think CAP_SYS_PERFMON should