[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should the kernel perf interface be available on autobuilders?



On 2016-12-04 20:32, Petter Reinholdtsen wrote:
> [Lluís Vilanova]
>> AFAIK, a paranoid level of 2 for perf is enough to not make coz's
>> tests break (level 3 or above seems to effectively disable the perf
>> interface). Also, it seems that build machines for all other
>> architectures have a perf paranoid level of 2 or lower.
> Yes.  And I guess the fundamental question here is this: Should a
> profiler package in Debian be able to verify its own functionallity
> during build (ie run its test suite), even if it depend on the linux
> kernel perf interface for its operation.
> 
> If I understand Ben correctly, he recommend that the answer is no, as
> the perf interface is so insecure that it should only be enabled on a
> developers machine when the developer find the risk acceptable.
> 
> Of course I would prefer the answer to be yes, because I want to keep
> broken packages out of the archive and running the test suite during
> built is a very good way to do that.
> 
> I do not know the risk involved, and trust the opinion of Ben on the
> risk involved.  But is level 2 just as dangerious (or perhaps that risk
> is acceptable), or is level 3 required?  If the perf interface at any
> level below 3 is too dangerous, perhaps it should be disabled on the
> current autobuilders too?

I suppose the threat model here is a source package build exploiting the
perf subsystem to compromise other builds. I don't think we particularly
need to worry about that, as it requires a successful archive upload
with the payload first. What Ben said was that changing the default for
all Debian users does not make sense from his point of view, because it
opens up attack surface unnecessarily.

So I don't think that the perf calls need to be disabled on the existing
autobuilders. On them there's also currently nothing to do because
Jessie has a different default, which won't be changed during the
lifetime of Jessie and all official autobuilders run Jessie (even
mips64el, which use a 32bit userland with a 64bit capable kernel).

However I do wonder why not more of the unofficial ports hit this. Maybe
they never rebooted into a recent kernel?

Kind regards
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: