| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Apr 2020 23:50:16 +0300
From: Alexey Budankov <alexey.budankov@...ux.intel.com>
To: Arnaldo Carvalho de Melo <acme@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>, Jiri Olsa <jolsa@...hat.com>,
Andi Kleen <ak@...ux.intel.com>,
Igor Lubashev <ilubashe@...mai.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Namhyung Kim <namhyung@...nel.org>,
James Morris <jmorris@...ei.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v6 04/10] perf tool: extend Perf tool with CAP_PERFMON
capability support
Hi Arnaldo,
On 28.01.2020 9:09, Alexey Budankov wrote:
>
> Extend error messages to mention CAP_PERFMON capability as an option
> to substitute CAP_SYS_ADMIN capability for secure system performance
> monitoring and observability operations. Make perf_event_paranoid_check()
> and __cmd_ftrace() to be aware of CAP_PERFMON capability.
>
> CAP_PERFMON implements the principal of least privilege for performance
> monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle
> of least privilege: A security design principle that states that a process
> or program be granted only those privileges (e.g., capabilities) necessary
> to accomplish its legitimate function, and only for the time that such
> privileges are actually required)
>
> For backward compatibility reasons access to perf_events subsystem remains
> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for
> secure perf_events monitoring is discouraged with respect to CAP_PERFMON
> capability.
>
> Signed-off-by: Alexey Budankov <alexey.budankov@...ux.intel.com>
> ---
> tools/perf/builtin-ftrace.c | 5 +++--
> tools/perf/design.txt | 3 ++-
> tools/perf/util/cap.h | 4 ++++
> tools/perf/util/evsel.c | 10 +++++-----
> tools/perf/util/util.c | 1 +
> 5 files changed, 15 insertions(+), 8 deletions(-)
Could this have you explicit Reviewed-by or Acked-by tag
so the changes could be driven into the kernel?
Latest v7 is here:
https://lore.kernel.org/lkml/c8de937a-0b3a-7147-f5ef-69f467e87a13@linux.intel.com/
Thanks,
Alexey
>
> diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
> index d5adc417a4ca..55eda54240fb 100644
> --- a/tools/perf/builtin-ftrace.c
> +++ b/tools/perf/builtin-ftrace.c
> @@ -284,10 +284,11 @@ static int __cmd_ftrace(struct perf_ftrace *ftrace, int argc, const char **argv)
> .events = POLLIN,
> };
>
> - if (!perf_cap__capable(CAP_SYS_ADMIN)) {
> + if (!(perf_cap__capable(CAP_PERFMON) ||
> + perf_cap__capable(CAP_SYS_ADMIN))) {
> pr_err("ftrace only works for %s!\n",
> #ifdef HAVE_LIBCAP_SUPPORT
> - "users with the SYS_ADMIN capability"
> + "users with the CAP_PERFMON or CAP_SYS_ADMIN capability"
> #else
> "root"
> #endif
> diff --git a/tools/perf/design.txt b/tools/perf/design.txt
> index 0453ba26cdbd..a42fab308ff6 100644
> --- a/tools/perf/design.txt
> +++ b/tools/perf/design.txt
> @@ -258,7 +258,8 @@ gets schedule to. Per task counters can be created by any user, for
> their own tasks.
>
> A 'pid == -1' and 'cpu == x' counter is a per CPU counter that counts
> -all events on CPU-x. Per CPU counters need CAP_SYS_ADMIN privilege.
> +all events on CPU-x. Per CPU counters need CAP_PERFMON or CAP_SYS_ADMIN
> +privilege.
>
> The 'flags' parameter is currently unused and must be zero.
>
> diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h
> index 051dc590ceee..ae52878c0b2e 100644
> --- a/tools/perf/util/cap.h
> +++ b/tools/perf/util/cap.h
> @@ -29,4 +29,8 @@ static inline bool perf_cap__capable(int cap __maybe_unused)
> #define CAP_SYSLOG 34
> #endif
>
> +#ifndef CAP_PERFMON
> +#define CAP_PERFMON 38
> +#endif
> +
> #endif /* __PERF_CAP_H */
> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
> index a69e64236120..a35f17723dd3 100644
> --- a/tools/perf/util/evsel.c
> +++ b/tools/perf/util/evsel.c
> @@ -2491,14 +2491,14 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target,
> "You may not have permission to collect %sstats.\n\n"
> "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
> "which controls use of the performance events system by\n"
> - "unprivileged users (without CAP_SYS_ADMIN).\n\n"
> + "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n"
> "The current value is %d:\n\n"
> " -1: Allow use of (almost) all events by all users\n"
> " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n"
> - ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN\n"
> - " Disallow raw tracepoint access by users without CAP_SYS_ADMIN\n"
> - ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
> - ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN\n\n"
> + ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n"
> + " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
> + ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n"
> + ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n"
> "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n"
> " kernel.perf_event_paranoid = -1\n" ,
> target->system_wide ? "system-wide " : "",
> diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
> index 969ae560dad9..51cf3071db74 100644
> --- a/tools/perf/util/util.c
> +++ b/tools/perf/util/util.c
> @@ -272,6 +272,7 @@ int perf_event_paranoid(void)
> bool perf_event_paranoid_check(int max_level)
> {
> return perf_cap__capable(CAP_SYS_ADMIN) ||
> + perf_cap__capable(CAP_PERFMON) ||
> perf_event_paranoid() <= max_level;
> }
>
>
Powered by blists - more mailing lists