From: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> If some process has perf_event_open fd it can monitor different (kernel, hardware, etc) perfomance counters through it. And this fd is configured through perf_event_attr which has more than 30 fields. There is currently no kernel interface to get the configuration of existing perf event fd. So to dump such an fd with CRIU we should add this interface.
We have ovs-vswitchd, which opens perf event fd and does nothing with it according to comments, it is only used in case someone will use PERF() macros to debug some code parts which implies recompilation of ovs. But it is still a problem on migration because CRIU detects this fd and fails. Also ovs can handle if it can't open perf event fd and fallbacks gracefully to work without it. So (at least for now) we should forbid this interface, to fix problems with ovs daemon migration. https://jira.sw.ru/browse/PSBM-107217 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> (cherry-picked from vz8 commit f5bfd99719a7 ("ve/perf: forbid perf events syscall in containers")) Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- kernel/events/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 1cb1f9b8392e..c9f9b486b327 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -54,6 +54,7 @@ #include <linux/highmem.h> #include <linux/pgtable.h> #include <linux/buildid.h> +#include <linux/ve.h> #include "internal.h" @@ -11979,6 +11980,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (!ve_is_super(get_exec_env())) + return -EACCES; + /* Do we allow access to perf_event_open(2) ? */ err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); if (err) -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
