Re: [PATCH] perf probe: Provide more detail with relocation warning

From: Masami Hiramatsu
Date: Wed May 26 2021 - 10:20:27 EST

On Wed, 26 May 2021 09:56:29 -0300
Arnaldo Carvalho de Melo <acme@xxxxxxxxxx> wrote:

> Em Wed, May 26, 2021 at 03:33:40PM +0900, Masami Hiramatsu escreveu:
> > On Wed, 26 May 2021 10:23:18 +0530 Ravi Bangoria <ravi.bangoria@xxxxxxxxxxxxx> wrote:
> > > On 5/25/21 6:18 PM, Masami Hiramatsu wrote:
> > > > On Tue, 25 May 2021 10:07:44 +0530 Ravi Bangoria <ravi.bangoria@xxxxxxxxxxxxx> wrote:
>
> > > >> When run as normal user with default sysctl kernel.kptr_restrict=0
> > > >> and kernel.perf_event_paranoid=2, perf probe fails with:
>
> > > >> $ ./perf probe move_page_tables
> > > >> Relocated base symbol is not found!
>
> > > >> The warning message is not much informative. The reason perf
> > > >> fails is because /proc/kallsyms is restricted by
> > > >> perf_event_paranoid=2 for normal user and thus perf fails to read
> > > >> relocated address of the base symbol.
>
> > > >> Tweaking kptr_restrict and perf_event_paranoid can change the
> > > >> behavior of perf probe. Also, running as root or privileged user
> > > >> works too. Add these details in the warning message.
>
> > > >> Plus, kmap->ref_reloc_sym might not be always set even if
> > > >> host_machine is initialized. Above is the example of the same.
> > > >> Remove that comment.
>
> > > > Yes, those are restricted in some cases. Anyway without priviledged
> > > > (super) user, perf probe can not set the probe in ftrace.
>
> > > > Hmm, I think it should check the effective user-id at first. If it
> > > > is not super user and the action will access tracefs and kallsyms,
> > > > it should warn at that point.
>
> > > If kptr_restrict=2, perf probe fails with same error even for root user.
> > > That's why I thought to just change this warning message.
>
> > Ah, yes. In that case, perf probe must not use the base symbol.
> > (like -D option)
> > OK, then, let's merge this fix.
>
> > Acked-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
>
> Thanks, applied as it improves the current situation.
>
> But as a follow up, to further improve this, we can reuse what 'perf trace' has:
>
> $ perf trace sleep 1
> Error: No permissions to read /sys/kernel/tracing/events/raw_syscalls/sys_(enter|exit)
> Hint: Try 'sudo mount -o remount,mode=755 /sys/kernel/tracing/'
> $ sudo mount -o remount,mode=755 /sys/kernel/tracing/
> $ perf trace sleep 1
> Error: Permission denied.
> Hint: Check /proc/sys/kernel/perf_event_paranoid setting.
> Hint: For your workloads it needs to be <= 1
> Hint: For system wide tracing it needs to be set to -1.
> Hint: Try: 'sudo sh -c "echo -1 > /proc/sys/kernel/perf_event_paranoid"'
> Hint: The current value is 2.
> $

OK, let me check this.
BTW, does perf_event_paranoid affect only perf syscall (and kallsyms),
not the tracefs correct?

> I.e. go the extra step and show what the current value is and what it
> needs to be to achieve what is being attempted.
>
> IOW combine error message with relevant documentation, to save steps.
>
> See what 'perf top' does for an unpriv user:
>
> $ perf top --stdio
> Error:
> Access to performance monitoring and observability operations is limited.
> Enforced MAC policy settings (SELinux) can limit access to performance
> monitoring and observability operations. Inspect system audit records for
> more perf_event access control information and adjusting the policy.
> Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
> access to performance monitoring and observability operations for processes
> without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
> More information can be found at 'Perf events and tool security' document:
> https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
> perf_event_paranoid setting is 2:
> -1: Allow use of (almost) all events by all users
> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> >= 0: Disallow raw and ftrace function tracepoint access
> >= 1: Disallow CPU event access
> >= 2: Disallow kernel profiling
> To make the adjusted perf_event_paranoid setting permanent preserve it
> in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)

Hmm, I would rather like pointing manpages...

Would we better to have perf-security.7 manpage?

Thank you,

> $
>
> - Arnaldo
>
> >
> > >
> > > Different combinations of privilege, perf_event_paranoid, kptr_restrict:
> > >
> > > Normal/Root user
> > > | perf_event_paranoid
> > > V V kptr_restrict perf probe error
> > > ----------------------------------------------------------------
> > > N -1 0 Failed to open kprobe_events: Permission denied
> > > N 0 0 Failed to open kprobe_events: Permission denied
> > > N 1 0 Failed to open kprobe_events: Permission denied
> > > N 2 0 Relocated base symbol is not found!
> > >
> > > N -1 1 Relocated base symbol is not found!
> > > N 0 1 Relocated base symbol is not found!
> > > N 1 1 Relocated base symbol is not found!
> > > N 2 1 Relocated base symbol is not found!
> > >
> > > N -1 2 Relocated base symbol is not found!
> > > N 0 2 Relocated base symbol is not found!
> > > N 1 2 Relocated base symbol is not found!
> > > N 2 2 Relocated base symbol is not found!
> > >
> > > R -1 0 No error.
> > > R 0 0 No error.
> > > R 1 0 No error.
> > > R 2 0 No error.
> > >
> > > R -1 1 No error.
> > > R 0 1 No error.
> > > R 1 1 No error.
> > > R 2 1 No error.
> > >
> > > R -1 2 Relocated base symbol is not found!
> > > R 0 2 Relocated base symbol is not found!
> > > R 1 2 Relocated base symbol is not found!
> > > R 2 2 Relocated base symbol is not found!
> > >
> > > Ravi
> >
> >
> > --
> > Masami Hiramatsu <mhiramat@xxxxxxxxxx>
>
> --
>
> - Arnaldo


--
Masami Hiramatsu <mhiramat@xxxxxxxxxx>