Page MenuHomeFreeBSD

hwpmc: Improve re-attachment logic in pmc_process_exec()
Changes PlannedPublic

Authored by mhorne on May 26 2023, 6:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 24, 8:13 PM
Unknown Object (File)
Tue, Oct 14, 6:47 AM
Unknown Object (File)
Tue, Oct 14, 6:46 AM
Unknown Object (File)
Tue, Oct 14, 6:46 AM
Unknown Object (File)
Mon, Oct 13, 5:09 PM
Unknown Object (File)
Mon, Oct 6, 1:17 PM
Unknown Object (File)
Mon, Sep 29, 3:31 AM
Unknown Object (File)
Sun, Sep 28, 1:46 AM
Subscribers

Details

Reviewers
jkoshy
emaste
gnn
markj
Group Reviewers
pmc
Summary

When a process transforms after an execve() call, we call into a hwpmc
hook to handle a few things. In particular, if the process had PMCs
attached to it, we need to evaluate whether the owning process has
sufficient privilege to re-attach its PMCs to the (new) target process.
In particular, we handle the case where the process credentials have
changed due to setuid on the exec'ed program.

Previously, we were evaluating this using a set of hand-rolled
credential checks, that partially duplicate the logic found in
p_candebug(). In the initial PMC attachment path (PMC_OP_PMCATTACH via
syscall), we call p_candebug() to determine if the thread owning the PMC
has sufficient privileges to attach it to the target process. So, change
pmc_process_exec() to use p_candebug() for the re-attachment checks as
well.

As a result, pmc_can_attach() is removed completely, and so is the
pm_credentialschanged member of struct pmckern_procexec.

This change ends up handling an additional case where the exec'ed
process now has the 'P2_NOTRACE' flag set, and re-attachment will not
proceed. This is a niche edge-case, but demonstrates why it is more
appropriate to use the core p_candebug() routine.

Some additional cleanup: specify PMC_FLAG_REMOVE for the call to the
detach routine; this will handle ref counting and process descriptor
cleanup for us. It will also clear the P_HWPMC flag when appropriate,
where before seem to have been leaking this.

Test Plan

I will verify this behaves as expected via PMCDBG trace entries.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 51718
Build 48609: arc lint + arc unit

Event Timeline

sys/dev/hwpmc/hwpmc_mod.c
1068

for me the can_attach logic in each of these blocks is a little awkward, maybe a goto exit would make it a bit more clear?

1073

does this match?

There are further improvements to be made here, will update after some investigation.

sys/dev/hwpmc/hwpmc_mod.c
1073

It does not, my bad!

Rework the change; remove pmc_can_attach() entirely in favor of p_candebug().

mhorne retitled this revision from hwpmc: fix sense of pmc_can_attach() to hwpmc: Improve re-attachment logic in pmc_process_exec().May 30 2023, 2:47 PM
mhorne edited the summary of this revision. (Show Details)
mhorne edited the test plan for this revision. (Show Details)
mhorne added a reviewer: markj.
sys/dev/hwpmc/hwpmc_mod.c
1323

Note: now, all three callers of pmc_detach_one_process() pass the same flag. We could just assume this behaviour and remove the parameter, but I have not made this change.

sys/dev/hwpmc/hwpmc_mod.c
1322

This requires p to be locked, but I can't see where that happens.

1325

Note that P2_NOTRACE specifically inhibits attaching with ptrace(2); it's ignored if the debugger has root privileges. Since hwpmc always(?) requires root privileges, P2_NOTRACE has no effect here. It similarly doesn't restrict dtrace.

sys/dev/hwpmc/hwpmc_mod.c
1322

Ah okay, I will fix that. That is missing from the man page.

1325

Root privileges are not required to use process-mode PMCs, so any user can perform e.g. pmcstat -p instructions -t $pid for a process they own. So in this case, pmc will respect the flag.

It is perhaps not that important to note P2_NOTRACE in the comment.

Ugh, I did not test it properly, and I think this version is totally broken...