[Devel] [PATCH RHEL7 COMMIT] ve/perf: forbid perf events syscall in containers

Vasily Averin vvs at virtuozzo.com
Wed Sep 2 13:01:14 MSK 2020 

The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.15
------>
commit f246c6a486e835273fb06cd9412a22ddd8d0b243
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Wed Sep 2 13:01:14 2020 +0300

    ve/perf: forbid perf events syscall in containers
    
    If some process has perf_event_open fd it can monitor different (kernel,
    hardware, etc) perfomance counters through it. And this fd is configured
    through perf_event_attr which has more than 30 fields. There is
    currently no kernel interface to get the configuration of existing perf
    event fd. So to dump such an fd with CRIU we should add this interface.
    
    We have ovs-vswitchd, which opens perf event fd and does nothing with it
    according to comments, it is only used in case someone will use PERF()
    macros to debug some code parts which implies recompilation of ovs. But
    it is still a problem on migration because CRIU detects this fd and
    fails. Also ovs can handle if it can't open perf event fd and fallbacks
    gracefully to work without it.
    
    So (at least for now) we should forbid this interface, to fix problems
    with ovs daemon migration.
    
    https://jira.sw.ru/browse/PSBM-107217
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/events/core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 2fdc895..a6f4653 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -46,6 +46,7 @@
 #include <linux/parser.h>
 #include <linux/bpf.h>
 #include <linux/filter.h>
+#include <linux/ve.h>
 
 #include "internal.h"
 
@@ -10045,6 +10046,9 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (flags & ~PERF_FLAG_ALL)
 		return -EINVAL;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EACCES;
+
 	err = perf_copy_attr(attr_uptr, &attr);
 	if (err)
 		return err;

More information about the Devel mailing list