From: Daniel Micay <danielmicay@gmail.com>
To: kernel-hardening@lists.openwall.com
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
Jeff Vander Stoep <jeffv@google.com>
Subject: Re: [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open
Date: Wed, 19 Oct 2016 11:16:00 -0400 [thread overview]
Message-ID: <1476890160.4032.9.camel@gmail.com> (raw)
In-Reply-To: <20161019094115.GC9616@leverpostej>
[-- Attachment #1: Type: text/plain, Size: 2242 bytes --]
On Wed, 2016-10-19 at 10:41 +0100, Mark Rutland wrote:
> On Mon, Oct 17, 2016 at 10:54:33AM -0400, Daniel Micay wrote:
> > On Mon, 2016-10-17 at 14:44 +0100, Mark Rutland wrote:
> > > It's also my understanding that for Android, perf_event_paranoid
> > > is
> > > lowered when the user enables developer mode (rather than only
> > > when an
> > > external debugger is attached); is that correct?
> >
> > It's exposed as a "system property" marked as writable by the shell
> > user, so the Android Debug Bridge shell can lower it. The debugging
> > tools learned how to toggle it off automatically when they're used.
> > It
> > intentionally isn't a persist. prefixed property so the setting also
> > goes away on reboot.
> >
> > ADB (incl. the shell user) isn't available until developer mode is
> > enabled + ADB is toggled on in the developer settings, and then it
> > still
> > requires whitelisting keys.
>
> Ah; so I'd misunderstood somewhat.
>
> I was under the (clearly mistaken) impression that this was lowered
> when
> developer mode was enabled, rather than only when it was both enabled
> and ADB was connected, for example.
>
> Thanks for clearing that up!
ADB provides a shell as the 'shell' user, and that user has the ability
to toggle the sysctl. So profiling tools were able to be taught to do
that automatically. It's the only way that the 'shell' user is actually
exposed. For example, a terminal app just runs in the untrusted_app
SELinux domain as a unique unprivileged uid/gid pair, not as the much
more privileged ADB 'shell' domain.
So it doesn't actually get toggled off you use ADB to do something else.
ADB itself is pretty much comparable to SSH, but over USB (i.e. key-
based way of getting a shell).
The 'shell' user has tools like 'run-as' to be able to run things as
various apps (if they are marked debuggable), so in theory it could be
finer-grained and act only there, for the app being debugged. It would
be really hard to cover all use cases and maybe things other than apps
though (although in an Android 'user' build, the base system itself
isn't very debuggable, you really need 'userdebug' or 'eng' which isn't
what ships on end user devices).
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2016-10-19 15:16 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 14:45 [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open Jeff Vander Stoep
2016-07-27 20:43 ` Kees Cook
2016-08-02 9:52 ` [kernel-hardening] " Peter Zijlstra
2016-08-02 13:04 ` Arnaldo Carvalho de Melo
2016-08-02 13:10 ` Daniel Micay
2016-08-02 13:16 ` Daniel Micay
2016-08-02 19:04 ` Kees Cook
2016-08-02 20:30 ` Peter Zijlstra
2016-08-02 20:51 ` Kees Cook
2016-08-02 21:06 ` Jeffrey Vander Stoep
2016-08-03 8:28 ` Ingo Molnar
2016-08-03 12:28 ` Daniel Micay
2016-08-03 12:53 ` Daniel Micay
2016-08-03 13:36 ` Peter Zijlstra
2016-08-03 14:41 ` Peter Zijlstra
2016-08-03 15:42 ` Schaufler, Casey
2016-08-03 17:25 ` Eric W. Biederman
2016-08-03 18:53 ` Kees Cook
2016-08-03 21:44 ` Peter Zijlstra
2016-08-04 2:50 ` Eric W. Biederman
2016-08-04 9:11 ` Peter Zijlstra
2016-08-04 15:13 ` Eric W. Biederman
2016-08-04 15:37 ` Peter Zijlstra
2016-08-03 19:36 ` Daniel Micay
2016-08-04 10:28 ` Mark Rutland
2016-08-04 13:45 ` Daniel Micay
2016-08-04 14:11 ` Peter Zijlstra
2016-08-04 15:44 ` Daniel Micay
2016-08-04 15:55 ` Peter Zijlstra
2016-08-04 16:10 ` Mark Rutland
2016-08-04 16:32 ` Daniel Micay
2016-08-04 17:09 ` Mark Rutland
2016-08-04 17:36 ` Daniel Micay
2016-08-02 21:16 ` Jeffrey Vander Stoep
2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland
2016-10-17 14:54 ` Daniel Micay
2016-10-19 9:41 ` Mark Rutland
2016-10-19 15:16 ` Daniel Micay [this message]
2016-10-18 20:48 ` Kees Cook
2016-10-18 21:15 ` Daniel Micay
2016-10-19 9:56 ` Mark Rutland
2016-10-19 10:01 ` Peter Zijlstra
2016-10-19 10:26 ` Arnaldo Carvalho de Melo
2016-10-19 10:40 ` Peter Zijlstra
2016-10-19 15:39 ` Daniel Micay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1476890160.4032.9.camel@gmail.com \
--to=danielmicay@gmail.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=jeffv@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).