From: Peter Zijlstra <peterz@infradead.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>,
Jeff Vander Stoep <jeffv@google.com>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>
Subject: Re: [kernel-hardening] Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open
Date: Thu, 4 Aug 2016 17:37:42 +0200 [thread overview]
Message-ID: <20160804153742.GN6879@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <87y44c1s9y.fsf@x220.int.ebiederm.org>
On Thu, Aug 04, 2016 at 10:13:29AM -0500, Eric W. Biederman wrote:
> The bits useful to the perf situation are:
> - user namespaces nest.
> - anyone can create a user namespace.
> - a sysctl can be bound to the userns that takes local privilege to
> change so you can't override it arbitrarily.
>
> Which is a long way of saying a user namespace is one way of marking
> processes that may or may not use perf.
>
> It was given in this case as an example of something that has been
> looked at that appears to solve peoples concerns.
> What is attractive to me semantically about something like this is
> applications that have perf_event disabled can still be traced with perf.
> > So far I'm still liking the new capability bit better, assuming I
> > understood those right.
>
> Your subsystem your call. I have never had much luck with capability
> bits. They are not particularly flexible, and are hard to get rid of
> permanently any suid root app gains them all.
Right, so I've no experience with any of this.
But from what I understood amluto recently made capabilities much more
useful with: 58319057b784 ("capabilities: ambient capabilities").
And the thing I like is having file capabilities, so even though the
user cannot in general create perf events, we could mark the
/usr/bin/perf executable as having CAP_PERF and allow it to create them,
because its a 'trusted' executable.
Can something like that be done with userns? Afaiu once you create a
userns with perf disabled, even a nested one cannot re-enable it,
otherwise you cannot create sandboxes.
next prev parent reply other threads:[~2016-08-04 15:37 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 14:45 [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open Jeff Vander Stoep
2016-07-27 20:43 ` Kees Cook
2016-08-02 9:52 ` [kernel-hardening] " Peter Zijlstra
2016-08-02 13:04 ` Arnaldo Carvalho de Melo
2016-08-02 13:10 ` Daniel Micay
2016-08-02 13:16 ` Daniel Micay
2016-08-02 19:04 ` Kees Cook
2016-08-02 20:30 ` Peter Zijlstra
2016-08-02 20:51 ` Kees Cook
2016-08-02 21:06 ` Jeffrey Vander Stoep
2016-08-03 8:28 ` Ingo Molnar
2016-08-03 12:28 ` Daniel Micay
2016-08-03 12:53 ` Daniel Micay
2016-08-03 13:36 ` Peter Zijlstra
2016-08-03 14:41 ` Peter Zijlstra
2016-08-03 15:42 ` Schaufler, Casey
2016-08-03 17:25 ` Eric W. Biederman
2016-08-03 18:53 ` Kees Cook
2016-08-03 21:44 ` Peter Zijlstra
2016-08-04 2:50 ` Eric W. Biederman
2016-08-04 9:11 ` Peter Zijlstra
2016-08-04 15:13 ` Eric W. Biederman
2016-08-04 15:37 ` Peter Zijlstra [this message]
2016-08-03 19:36 ` Daniel Micay
2016-08-04 10:28 ` Mark Rutland
2016-08-04 13:45 ` Daniel Micay
2016-08-04 14:11 ` Peter Zijlstra
2016-08-04 15:44 ` Daniel Micay
2016-08-04 15:55 ` Peter Zijlstra
2016-08-04 16:10 ` Mark Rutland
2016-08-04 16:32 ` Daniel Micay
2016-08-04 17:09 ` Mark Rutland
2016-08-04 17:36 ` Daniel Micay
2016-08-02 21:16 ` Jeffrey Vander Stoep
2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland
2016-10-17 14:54 ` Daniel Micay
2016-10-19 9:41 ` Mark Rutland
2016-10-19 15:16 ` Daniel Micay
2016-10-18 20:48 ` Kees Cook
2016-10-18 21:15 ` Daniel Micay
2016-10-19 9:56 ` Mark Rutland
2016-10-19 10:01 ` Peter Zijlstra
2016-10-19 10:26 ` Arnaldo Carvalho de Melo
2016-10-19 10:40 ` Peter Zijlstra
2016-10-19 15:39 ` Daniel Micay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160804153742.GN6879@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=corbet@lwn.net \
--cc=ebiederm@xmission.com \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).