From: Alexey Sheplyakov <asheplyakov@basealt.ru>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open
Date: Mon, 6 Jun 2022 13:20:40 +0400
Message-ID: <Yp3G6BNycsU28o7T@asheplyakov-rocket> (raw)
In-Reply-To: <Ypyp+KyhF0kcXMqd@portlab>
Hi,
On Sun, Jun 05, 2022 at 04:04:56PM +0300, Vladimir D. Seleznev wrote:
> > People who actually need security
> >
> > 1) don't use out-of-order CPUs (to avoid Meltdown, Spectre, etc)
> > 2) don't use Linux (so the kernel can be actually audited)
> > 3) don't exist
>
> I don't get the point of these. If we don't need security why should we
> bother with user/group processes/filesystems separation and permissions,
> chrooting, etc. We have a superuser, lets everything run with it!
1. In a way we already do (on desktop systems). All applications run with
the same uid and have the same permissions. Nothing prevents firefox
from sending my private GPG key to $BIG_BROTHER, or removing all files
(in $HOME), etc.
2. If you keep restricting the basic system functionality (profiling,
namespaces, etc) to root only eventually people will be forced
to run everything as root to get a usable system.
> 1) There are some tricks to significantly reducing impact of
> Spectre-like vulnerabilities, like disabling HT, separate processes to
> run on different trust-level CPU core, KPTI, etc.
> 2) The kernel constantly reviewed, sure it is not an audit but some part
> are well reviewed, especially in general parts.
I'll just leave this here: https://lkml.org/lkml/2021/4/21/454
> I think it is worth reducing the attack surface.
There are a vast number of (privilege escalation) attacks which make
use of symlinks. Let's disable symlinks (for ordinary users).
And provide a magic knob (without any documentation) to re-enable them.
> There were known vulnerabilities in the perf kernel subsystem that
> allowed to escalate privileges,
There were known vulnerabilities in all kernel subsystem. Including
core ones, like mm (proofs: [1], [2], [3]). What about disabling CoW,
vmsplice, and other "insecure" stuff?
[1] https://lwn.net/Articles/849638
[2] https://lwn.net/Articles/704231
[3] https://lwn.net/Articles/268783
> and profiling is not a common task.
Incorrect. Just because you don't care doesn't mean it's "not common".
> I don't see why switching the knob is a big problem.
The knob itself is not a big deal. The problem is the default value,
which prevents ordinary users from profiling their processes.
Best regards,
Alexey
next prev parent reply other threads:[~2022-06-06 9:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-02 0:31 Vitaly Chikunov
2022-06-02 7:14 ` Dmitry V. Levin
2022-06-02 12:40 ` Vitaly Chikunov
2022-06-02 13:29 ` Vitaly Chikunov
2022-06-02 15:58 ` Andrey Savchenko
2022-06-02 17:06 ` Vitaly Chikunov
2022-06-02 18:26 ` Vladimir D. Seleznev
2022-06-02 18:42 ` Andrey Savchenko
2022-06-02 18:56 ` Dmitry V. Levin
2022-06-03 6:27 ` Andrey Savchenko
2022-06-02 19:08 ` Vladimir D. Seleznev
2022-06-03 6:16 ` Andrey Savchenko
2022-06-03 12:41 ` Vladimir D. Seleznev
2022-06-03 12:54 ` Andrey Savchenko
2022-06-02 15:15 ` Alexey Sheplyakov
2022-06-02 16:39 ` Dmitry V. Levin
2022-06-03 6:25 ` Andrey Savchenko
2022-06-03 15:07 ` Vitaly Chikunov
2022-06-05 7:48 ` Alexey Sheplyakov
2022-06-05 7:59 ` Dmitry V. Levin
2022-06-06 14:31 ` Alexey Sheplyakov
2022-06-05 13:04 ` Vladimir D. Seleznev
2022-06-06 9:20 ` Alexey Sheplyakov [this message]
2022-06-06 10:31 ` Andrey Savchenko
2022-06-06 12:10 ` Alexey Sheplyakov
2022-06-06 12:53 ` Vladimir D. Seleznev
2022-06-06 12:59 ` Vladimir D. Seleznev
2022-06-08 14:27 ` [d-kernel] right to profile (Re: [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open) Alexey Sheplyakov
2022-06-15 11:19 ` [d-kernel] [JT] Re: right to profile Michael Shigorin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yp3G6BNycsU28o7T@asheplyakov-rocket \
--to=asheplyakov@basealt.ru \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git