[d-kernel] right to profile (Re: [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open)
asheplyakov на basealt.ru
Ср Июн 8 17:27:26 MSK 2022
On Mon, Jun 06, 2022 at 03:53:59PM +0300, Vladimir D. Seleznev wrote:
> > > I think it is worth reducing the attack surface.
> > There are a vast number of (privilege escalation) attacks which make
> > use of symlinks. Let's disable symlinks (for ordinary users).
> Some are mitigating with fs.protected_symlinks. But race conditions with
> symlinks are about attacking userspace privilleged processes, not the
The result is the same: the attacker gains root access to the system.
And there've been *much* more symlink related attacks than the one based
on perf. So, should we disable symlinks by default?
> > And provide a magic knob (without any documentation) to re-enable them.
> Sure it should be documented.
> > > There were known vulnerabilities in the perf kernel subsystem that
> > > allowed to escalate privileges,
> > There were known vulnerabilities in all kernel subsystem. Including
> > core ones, like mm (proofs: , , ). What about disabling CoW,
> > vmsplice, and other "insecure" stuff?
> Does it mean that we do not need to reduce attack surface because there
> were (and will) vulnerabilities in the core subsystem?
Most attempts to reduce it either make the system unusable (SELinux)
and/or end up *increasing* the attack surface (namespaces, SELinux)
via adding/exposing lots of complicated code (into kernel), extra suid
> What kind of users exist? I distinguish several types of users (the list
> is not intended to be exhaustive):
> 1. A homemaker or non-tech user that just uses a computer for
> reading/writing documents, listening music, watch videos and browsing.
> This kind of user does not need profiling.
Wrong. These guys are exactly the ones who need profiling.
Profiling *on their* system is the only way to get meaningful
data from "my browser freezes when playing youtube videos"
Now I can tell them to start their browser from terminal as
perf record -g firefox
> 2. A tech person who own personal computer, and this exactly person
> admins her/his device. If he/her need profiling, he/her can easily
> enable this feature.
Wrong. Those folks will install a differnt distro without a вахтёр syndrom.
> 3. A sysadmin who serves a lot of production servers.
This one is supposed to
- know what perf is
- be able to figure out if running perf is a privacy/security
concern (for a given workload)
- know how to uninstall/disable perf if necessary
> 4. An ordinary user of big cluster, who can be a developer for such
> system and who may need profiling. In that case he or her can ask the
> cluster sysadmin to enable this feature.
Been there, done that (this partly explains why I'm so angry about
the patch). Those requests get redirected to /dev/null, because that's
the easiest thing to do for an admin. It takes a lot of time and effort
even to get the request considered, let alone implemented.
Подробная информация о списке рассылки devel-kernel