From: Peter Zijlstra <firstname.lastname@example.org> To: Kees Cook <email@example.com> Cc: Jeff Vander Stoep <firstname.lastname@example.org>, Ingo Molnar <email@example.com>, Arnaldo Carvalho de Melo <firstname.lastname@example.org>, Alexander Shishkin <email@example.com>, "firstname.lastname@example.org" <email@example.com>, "firstname.lastname@example.org" <email@example.com>, LKML <firstname.lastname@example.org>, Jonathan Corbet <email@example.com>, "Eric W. Biederman" <firstname.lastname@example.org> Subject: Re: [kernel-hardening] Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open Date: Tue, 2 Aug 2016 22:30:37 +0200 Message-ID: <20160802203037.GC6879@twins.programming.kicks-ass.net> (raw) In-Reply-To: <CAGXu5j+q4qWFspRCPEd5-MM05Sh_r6VYSQhP7gcAuRMygeZwjg@mail.gmail.com> On Tue, Aug 02, 2016 at 12:04:34PM -0700, Kees Cook wrote: > Now, obviously, these API have huge value, otherwise they wouldn't > exist in the first place, and they wouldn't be built into end-user > kernels if they were universally undesirable. But that's not the > situation: the APIs are needed, but they lack the appropriate knobs to > control their availability. So far so good, but I take exception with the suggestion that the proposed knob is appropriate. > And this isn't just about Android: regular > distro kernels (like Debian, who also uses this patch) tend to build > in everything so people can use whatever they want. But for admins > that want to reduce their systems' attack surface, there needs to be > ways to disable things like this. And here I think you're overestimating the knowledge of most admins. > > So the problem I have with this is that it will completely inhibit > > development of things like JITs that self-profile to re-compile > > frequently used code. > > This is a good example of a use-case where this knob would be turned > down. But for many many other use-cases, when presented with a > pre-built kernel, there isn't a way to remove the attack surface. No, quite the opposite. Having this knob will completely inhibit development of such applications. Worse it will probably render perf dead for quite a large body of developers. The moment you frame it like: perf or sekjurity, and even default to no-perf-because-sekjurity, a whole bunch of corporate IT departments will not enable this, even for their developers. Have you never had to 'root' your work machine to get work done? I have. Luckily this was pre-secure-boot times so it was trivial since I had physical access to the machine. But it still sucked I had to fight IT over mostly 'trivial' crap. > > I would much rather have an LSM hook where the security stuff can do > > more fine grained control of things. Allowing some apps perf usage while > > denying others. > > I'm not against an LSM, but I think it's needless complexity when > there is already a knob for this but it just doesn't go "high" enough. > :) So what will you to the moment the Google Dalvik guys come to you and say: "Hey, we want to do active profiling to do better on-line code generation?". I see 0 up-sides of this approach and, as per the above, a whole bunch of very serious downsides. A global (esp. default inhibited) knob is too coarse and limiting.
next prev parent reply index Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-07-27 14:45 [kernel-hardening] " Jeff Vander Stoep 2016-07-27 20:43 ` Kees Cook 2016-08-02 9:52 ` [kernel-hardening] " Peter Zijlstra 2016-08-02 13:04 ` Arnaldo Carvalho de Melo 2016-08-02 13:10 ` Daniel Micay 2016-08-02 13:16 ` Daniel Micay 2016-08-02 19:04 ` Kees Cook 2016-08-02 20:30 ` Peter Zijlstra [this message] 2016-08-02 20:51 ` Kees Cook 2016-08-02 21:06 ` Jeffrey Vander Stoep 2016-08-03 8:28 ` Ingo Molnar 2016-08-03 12:28 ` Daniel Micay 2016-08-03 12:53 ` Daniel Micay 2016-08-03 13:36 ` Peter Zijlstra 2016-08-03 14:41 ` Peter Zijlstra 2016-08-03 15:42 ` Schaufler, Casey 2016-08-03 17:25 ` Eric W. Biederman 2016-08-03 18:53 ` Kees Cook 2016-08-03 21:44 ` Peter Zijlstra 2016-08-04 2:50 ` Eric W. Biederman 2016-08-04 9:11 ` Peter Zijlstra 2016-08-04 15:13 ` Eric W. Biederman 2016-08-04 15:37 ` Peter Zijlstra 2016-08-03 19:36 ` Daniel Micay 2016-08-04 10:28 ` Mark Rutland 2016-08-04 13:45 ` Daniel Micay 2016-08-04 14:11 ` Peter Zijlstra 2016-08-04 15:44 ` Daniel Micay 2016-08-04 15:55 ` Peter Zijlstra 2016-08-04 16:10 ` Mark Rutland 2016-08-04 16:32 ` Daniel Micay 2016-08-04 17:09 ` Mark Rutland 2016-08-04 17:36 ` Daniel Micay 2016-08-02 21:16 ` Jeffrey Vander Stoep 2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland 2016-10-17 14:54 ` Daniel Micay 2016-10-19 9:41 ` Mark Rutland 2016-10-19 15:16 ` Daniel Micay 2016-10-18 20:48 ` Kees Cook 2016-10-18 21:15 ` Daniel Micay 2016-10-19 9:56 ` Mark Rutland 2016-10-19 10:01 ` Peter Zijlstra 2016-10-19 10:26 ` Arnaldo Carvalho de Melo 2016-10-19 10:40 ` Peter Zijlstra 2016-10-19 15:39 ` Daniel Micay
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20160802203037.GC6879@twins.programming.kicks-ass.net \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Kernel-hardening Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/kernel-hardening/0 kernel-hardening/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 kernel-hardening kernel-hardening/ https://lore.kernel.org/kernel-hardening \ firstname.lastname@example.org public-inbox-index kernel-hardening Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/com.openwall.lists.kernel-hardening AGPL code for this site: git clone https://public-inbox.org/public-inbox.git