On Sun, 2016-12-04 at 14:41 +0100, Philipp Kern wrote:
> On 04.12.2016 07:52, Petter Reinholdtsen wrote:
> > Lluís Vilanova (cc) and I maintain the coz-profiler package in Debian,
> > and this package uses the perf kernel interface for profiling. This
> > subsystem has received strict access limitations in recent Debian
> > kernels. During build of the coz-profiler package it test itself to
> > ensure it is working, and this work on all autobuilders except one, the
> > x32 architecture.
> >
> > Are the autobuilders expected to block access to the perf kernel
> > interface, or is this a misconfiguration of the x32 build host?
> >
> > The reason I ask is that the restricted setting has changed in recent
> > years, and I expect all autobuilders to get the restricted setting of
> > x32 when they are upgraded. I would prefer it to be defined that the
> > autobuilders should provide access to the perf interface during build.
> > This can be set by inserting a lower value in
> > /proc/sys/kernel/perf_event_paranoid, for example like this:
> >
> > echo 1 > /proc/sys/kernel/perf_event_paranoid
> >
> > The default value in Jessie is 1
(I wish it wasn't.)
> > and this work with the coz-profiler
> > build, while the default value in unstable/testing is 3 and causes the
> > build to fail. The details of this issue with coz-profiler can be found
> > in <URL: https://bugs.debian.org/844633 >.
>
> I think ultimately it's up to DSA to decide to diverge from the default
> here and up to the kernel team to potentially change the default. (Both
> cc'ed.)
>
> Do we know what 3 (vs. 2) actually stands for today? The source is
> elusive here, as you documented already. Specifically the capability you
> are asking for is access to the perf interface *without* CAP_SYS_ADMIN,
> correct? (Hence 1 instead of 2.)
Like most sysctls, this is now documented:
perf_event_paranoid:
Controls use of the performance events system by unprivileged
users (without CAP_SYS_ADMIN). The default value is 2.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
The patch that adds the higher level doesn't currently touch that,
though. The value of 3 disallows all use by unprivileged users.
> Requiring custom kernel sysctls to enable package builds is something we
> should try to avoid - I don't think we have a precedent at all here. At
> the same time it's unreasonable to require CAP_SYS_ADMIN for a build.
The insecurity of the perf subsystem can be quickly demonstrated by
fuzzing it with Trinity or perf_fuzzer
<http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/>. I
recommend that you do not override the default.
Ben.
--
Ben Hutchings
Man invented language to satisfy his deep need to complain. - Lily
Tomlin
Attachment:
signature.asc
Description: This is a digitally signed message part