[d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open

Alexey Sheplyakov asheplyakov на basealt.ru
Пн Июн 6 12:20:40 MSK 2022 

Hi,

On Sun, Jun 05, 2022 at 04:04:56PM +0300, Vladimir D. Seleznev wrote:
> > People who actually need security 
> > 
> > 1) don't use out-of-order CPUs (to avoid Meltdown, Spectre, etc)
> > 2) don't use Linux (so the kernel can be actually audited)
> > 3) don't exist
> 
> I don't get the point of these. If we don't need security why should we
> bother with user/group processes/filesystems separation and permissions,
> chrooting, etc. We have a superuser, lets everything run with it!

1. In a way we already do (on desktop systems). All applications run with
   the same uid and have the same permissions. Nothing prevents firefox
   from sending my private GPG key to $BIG_BROTHER, or removing all files
   (in $HOME), etc.
 
2. If you keep restricting the basic system functionality (profiling,
   namespaces, etc) to root only eventually people will be forced
   to run everything as root to get a usable system.

> 1) There are some tricks to significantly reducing impact of
> Spectre-like vulnerabilities, like disabling HT, separate processes to
> run on different trust-level CPU core, KPTI, etc.

> 2) The kernel constantly reviewed, sure it is not an audit but some part
> are well reviewed,  especially in general parts.

I'll just leave this here: https://lkml.org/lkml/2021/4/21/454

> I think it is worth reducing the attack surface.

There are a vast number of (privilege escalation) attacks which make
use of symlinks. Let's disable symlinks (for ordinary users).
And provide a magic knob (without any documentation) to re-enable them.

> There were known vulnerabilities in the perf kernel subsystem that 
> allowed to escalate privileges, 

There were known vulnerabilities in all kernel subsystem. Including
core ones, like mm (proofs: [1], [2], [3]). What about disabling CoW,
vmsplice, and other "insecure" stuff?

[1] https://lwn.net/Articles/849638 
[2] https://lwn.net/Articles/704231
[3] https://lwn.net/Articles/268783

> and profiling is not a common task.

Incorrect. Just because you don't care doesn't mean it's "not common".

> I don't see why switching the knob is a big problem.

The knob itself is not a big deal. The problem is the default value,
which prevents ordinary users from profiling their processes.


Best regards,
	Alexey

Подробная информация о списке рассылки devel-kernel