Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160802203037.GC6879@twins.programming.kicks-ass.net>
Date: Tue, 2 Aug 2016 22:30:37 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Kees Cook <keescook@...omium.org>
Cc: Jeff Vander Stoep <jeffv@...gle.com>, Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...nel.org>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Jonathan Corbet <corbet@....net>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: Re: [PATCH 1/2] security, perf: allow further
 restriction of perf_event_open

On Tue, Aug 02, 2016 at 12:04:34PM -0700, Kees Cook wrote:

> Now, obviously, these API have huge value, otherwise they wouldn't
> exist in the first place, and they wouldn't be built into end-user
> kernels if they were universally undesirable. But that's not the
> situation: the APIs are needed, but they lack the appropriate knobs to
> control their availability.

So far so good, but I take exception with the suggestion that the
proposed knob is appropriate.

> And this isn't just about Android: regular
> distro kernels (like Debian, who also uses this patch) tend to build
> in everything so people can use whatever they want. But for admins
> that want to reduce their systems' attack surface, there needs to be
> ways to disable things like this.

And here I think you're overestimating the knowledge of most admins.

> > So the problem I have with this is that it will completely inhibit
> > development of things like JITs that self-profile to re-compile
> > frequently used code.
> 
> This is a good example of a use-case where this knob would be turned
> down. But for many many other use-cases, when presented with a
> pre-built kernel, there isn't a way to remove the attack surface.

No, quite the opposite. Having this knob will completely inhibit
development of such applications. Worse it will probably render perf
dead for quite a large body of developers.

The moment you frame it like: perf or sekjurity, and even default to
no-perf-because-sekjurity, a whole bunch of corporate IT departments
will not enable this, even for their developers.

Have you never had to 'root' your work machine to get work done? I have.
Luckily this was pre-secure-boot times so it was trivial since I had
physical access to the machine. But it still sucked I had to fight IT
over mostly 'trivial' crap.

> > I would much rather have an LSM hook where the security stuff can do
> > more fine grained control of things. Allowing some apps perf usage while
> > denying others.
> 
> I'm not against an LSM, but I think it's needless complexity when
> there is already a knob for this but it just doesn't go "high" enough.
> :)

So what will you to the moment the Google Dalvik guys come to you and
say: "Hey, we want to do active profiling to do better on-line code
generation?".

I see 0 up-sides of this approach and, as per the above, a whole bunch
of very serious downsides.

A global (esp. default inhibited) knob is too coarse and limiting.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.