[RHEL8,COMMIT] ve/perf: forbid perf events syscall in containers

Submitted by Konstantin Khorenko on Sept. 22, 2020, 12:27 p.m.

Details

Message ID 202009221227.08MCR6EN007874@finist-co8.sw.ru
State New
Series "ve/perf: forbid perf events syscall in containers"
Headers show

Commit Message

Konstantin Khorenko Sept. 22, 2020, 12:27 p.m.
The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.6
------>
commit ed1fc404e6904702b4caded62e1e70e7420e12be
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Tue Sep 22 15:27:06 2020 +0300

    ve/perf: forbid perf events syscall in containers
    
    If some process has perf_event_open fd it can monitor different (kernel,
    hardware, etc) perfomance counters through it. And this fd is configured
    through perf_event_attr which has more than 30 fields. There is
    currently no kernel interface to get the configuration of existing perf
    event fd. So to dump such an fd with CRIU we should add this interface.
    
    We have ovs-vswitchd, which opens perf event fd and does nothing with it
    according to comments, it is only used in case someone will use PERF()
    macros to debug some code parts which implies recompilation of ovs. But
    it is still a problem on migration because CRIU detects this fd and
    fails. Also ovs can handle if it can't open perf event fd and fallbacks
    gracefully to work without it.
    
    So (at least for now) we should forbid this interface, to fix problems
    with ovs daemon migration.
    
    https://jira.sw.ru/browse/PSBM-107217
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 kernel/events/core.c | 4 ++++
 1 file changed, 4 insertions(+)

Patch hide | download patch | download mbox

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 61b0e1dfdebe..17066990a235 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -49,6 +49,7 @@ 
 #include <linux/sched/mm.h>
 #include <linux/proc_ns.h>
 #include <linux/mount.h>
+#include <linux/ve.h>
 
 #include "internal.h"
 
@@ -10874,6 +10875,9 @@  SYSCALL_DEFINE5(perf_event_open,
 	if (flags & ~PERF_FLAG_ALL)
 		return -EINVAL;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EACCES;
+
 	err = perf_copy_attr(attr_uptr, &attr);
 	if (err)
 		return err;