On 03/24/2010 06:03 PM, Peter Zijlstra wrote:
On Wed, 2010-03-24 at 16:01 +0100, Joerg Roedel wrote:
What I meant was: perf-kernel puts the guest-name into every sample and
perf-userspace accesses /sys/kvm/guest_name/fs/ later to resolve the
symbols. I leave the question of how the guest-fs is exposed to the host
out of this discussion. We should discuss this seperatly.
I'd much prefer a pid like suggested later, keeps the samples smaller.
But that said, we need guest kernel events like mmap and context
switches too, otherwise we simply can't make sense of guest userspace
addresses, we need to know the guest address space layout.
The kernel knows some of the address space layout, qemu knows all of it.
So aside from a filesystem content, we first need mmap and context
switch events to find the files we need to access.
This only works for the guest kernel, we don't know anything about guest
processes [1].
And while I appreciate all the security talk, its basically pointless
anyway, the host can access it anyway, everybody agrees on that, but
still you're arguing the case..
root can access anything, but we're not talking about root. The idea is
to protect against a guest that has exploited its qemu and is now
attacking the host and its fellow guests. uid protection is no good
since we want to isolate the guest from host processes belonging to the
same uid and from other guests running under the same uid.
[1] We can find out guest pids if we teach the kernel what to
dereference, i.e. gs:offset1->offset2->offset3. Of course this varies
from kernel to kernel, so we need some kind of bytecode that we can run
in perf nmi context. Kind of what we need to run an unwinder for
-fomit-frame-pointer.
--
error compiling committee.c: too many arguments to function
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
