lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <56648455-3650-1fa2-6364-659d92d5dc14@linux.intel.com>
Date:   Fri, 3 Apr 2020 16:08:16 +0300
From:   Alexey Budankov <alexey.budankov@...ux.intel.com>
To:     Jiri Olsa <jolsa@...hat.com>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Ingo Molnar <mingo@...hat.com>,
        James Morris <jmorris@...ei.org>,
        Namhyung Kim <namhyung@...nel.org>,
        Serge Hallyn <serge@...lyn.com>,
        Song Liu <songliubraving@...com>,
        Andi Kleen <ak@...ux.intel.com>,
        Stephane Eranian <eranian@...gle.com>,
        Igor Lubashev <ilubashe@...mai.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "selinux@...r.kernel.org" <selinux@...r.kernel.org>,
        "intel-gfx@...ts.freedesktop.org" <intel-gfx@...ts.freedesktop.org>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        linux-man@...r.kernel.org
Subject: Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON
 capability support


On 03.04.2020 14:08, Jiri Olsa wrote:
> On Thu, Apr 02, 2020 at 11:47:35AM +0300, Alexey Budankov wrote:
>>
>> Extend error messages to mention CAP_PERFMON capability as an option
>> to substitute CAP_SYS_ADMIN capability for secure system performance
>> monitoring and observability operations. Make perf_event_paranoid_check()
>> and __cmd_ftrace() to be aware of CAP_PERFMON capability.
>>
>> CAP_PERFMON implements the principal of least privilege for performance
>> monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39
>> principle of least privilege: A security design principle that states
>> that a process or program be granted only those privileges (e.g.,
>> capabilities) necessary to accomplish its legitimate function, and only
>> for the time that such privileges are actually required)
>>
>> For backward compatibility reasons access to perf_events subsystem remains
>> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for
>> secure perf_events monitoring is discouraged with respect to CAP_PERFMON
>> capability.
>>
>> Signed-off-by: Alexey Budankov <alexey.budankov@...ux.intel.com>
>> Reviewed-by: James Morris <jamorris@...ux.microsoft.com>
> 
> Acked-by: Jiri Olsa <jolsa@...hat.com>

Thanks! I appreciate you support.

~Alexey

> 
> thanks,
> jirka
> 
>> ---
>>  tools/perf/builtin-ftrace.c |  5 +++--
>>  tools/perf/design.txt       |  3 ++-
>>  tools/perf/util/cap.h       |  4 ++++
>>  tools/perf/util/evsel.c     | 10 +++++-----
>>  tools/perf/util/util.c      |  1 +
>>  5 files changed, 15 insertions(+), 8 deletions(-)
>>
>> diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
>> index d5adc417a4ca..55eda54240fb 100644
>> --- a/tools/perf/builtin-ftrace.c
>> +++ b/tools/perf/builtin-ftrace.c
>> @@ -284,10 +284,11 @@ static int __cmd_ftrace(struct perf_ftrace *ftrace, int argc, const char **argv)
>>  		.events = POLLIN,
>>  	};
>>  
>> -	if (!perf_cap__capable(CAP_SYS_ADMIN)) {
>> +	if (!(perf_cap__capable(CAP_PERFMON) ||
>> +	      perf_cap__capable(CAP_SYS_ADMIN))) {
>>  		pr_err("ftrace only works for %s!\n",
>>  #ifdef HAVE_LIBCAP_SUPPORT
>> -		"users with the SYS_ADMIN capability"
>> +		"users with the CAP_PERFMON or CAP_SYS_ADMIN capability"
>>  #else
>>  		"root"
>>  #endif
>> diff --git a/tools/perf/design.txt b/tools/perf/design.txt
>> index 0453ba26cdbd..a42fab308ff6 100644
>> --- a/tools/perf/design.txt
>> +++ b/tools/perf/design.txt
>> @@ -258,7 +258,8 @@ gets schedule to. Per task counters can be created by any user, for
>>  their own tasks.
>>  
>>  A 'pid == -1' and 'cpu == x' counter is a per CPU counter that counts
>> -all events on CPU-x. Per CPU counters need CAP_SYS_ADMIN privilege.
>> +all events on CPU-x. Per CPU counters need CAP_PERFMON or CAP_SYS_ADMIN
>> +privilege.
>>  
>>  The 'flags' parameter is currently unused and must be zero.
>>  
>> diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h
>> index 051dc590ceee..ae52878c0b2e 100644
>> --- a/tools/perf/util/cap.h
>> +++ b/tools/perf/util/cap.h
>> @@ -29,4 +29,8 @@ static inline bool perf_cap__capable(int cap __maybe_unused)
>>  #define CAP_SYSLOG	34
>>  #endif
>>  
>> +#ifndef CAP_PERFMON
>> +#define CAP_PERFMON	38
>> +#endif
>> +
>>  #endif /* __PERF_CAP_H */
>> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
>> index 816d930d774e..2696922f06bc 100644
>> --- a/tools/perf/util/evsel.c
>> +++ b/tools/perf/util/evsel.c
>> @@ -2507,14 +2507,14 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target,
>>  		 "You may not have permission to collect %sstats.\n\n"
>>  		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
>>  		 "which controls use of the performance events system by\n"
>> -		 "unprivileged users (without CAP_SYS_ADMIN).\n\n"
>> +		 "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n"
>>  		 "The current value is %d:\n\n"
>>  		 "  -1: Allow use of (almost) all events by all users\n"
>>  		 "      Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n"
>> -		 ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN\n"
>> -		 "      Disallow raw tracepoint access by users without CAP_SYS_ADMIN\n"
>> -		 ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
>> -		 ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN\n\n"
>> +		 ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n"
>> +		 "      Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
>> +		 ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n"
>> +		 ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n"
>>  		 "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n"
>>  		 "	kernel.perf_event_paranoid = -1\n" ,
>>  				 target->system_wide ? "system-wide " : "",
>> diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
>> index d707c9624dd9..37a9492edb3e 100644
>> --- a/tools/perf/util/util.c
>> +++ b/tools/perf/util/util.c
>> @@ -290,6 +290,7 @@ int perf_event_paranoid(void)
>>  bool perf_event_paranoid_check(int max_level)
>>  {
>>  	return perf_cap__capable(CAP_SYS_ADMIN) ||
>> +			perf_cap__capable(CAP_PERFMON) ||
>>  			perf_event_paranoid() <= max_level;
>>  }
>>  
>> -- 
>> 2.24.1
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ