[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.21.1906142049480.3646@namei.org>
Date: Fri, 14 Jun 2019 20:53:46 -0700 (PDT)
From: James Morris <jmorris@...ei.org>
To: "Lubashev, Igor" <ilubashe@...mai.com>
cc: Serge Hallyn <serge@...lyn.com>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve
fsuid/fsgid across execve
On Sat, 15 Jun 2019, Lubashev, Igor wrote:
> > On Friday, June 14, 2019, James Morris wrote:
> Unfortunately, perf is using uid==0 and euid==0 as a "capability bits".
>
>
> In tools/perf/util/evsel.c:
> static bool perf_event_can_profile_kernel(void)
> {
> return geteuid() == 0 || perf_event_paranoid() == -1;
> }
>
> In tools/perf/util/symbol.c:
> static bool symbol__read_kptr_restrict(void)
> {
> ...
> value = ((geteuid() != 0) || (getuid() != 0)) ?
> (atoi(line) != 0) :
> (atoi(line) == 2);
> ...
> }
These are bugs. They should be checking for CAP_SYS_ADMIN.
>
> > Have you considered the example security configuration in
> > Documentation/admin-guide/perf-security.rst ?
>
> Unfortunately, this configuration does not work, unless you reset
> /proc/sys/kernel/perf_event_paranoid to a permissive level (see code
> above). We have perf_event_paranoid set to 2. If it worked, we could had
> implemented the same capability-based policy in the wrapper.
This is not necessary for a process which has CAP_SYS_ADMIN.
--
James Morris
<jmorris@...ei.org>
Powered by blists - more mailing lists