From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Alexey Budankov <alexey.budankov@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>
Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>,
Alexei Starovoitov <ast@kernel.org>,
Ingo Molnar <mingo@redhat.com>, James Morris <jmorris@namei.org>,
Namhyung Kim <namhyung@kernel.org>,
Serge Hallyn <serge@hallyn.com>, Jiri Olsa <jolsa@redhat.com>,
Song Liu <songliubraving@fb.com>, Andi Kleen <ak@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Igor Lubashev <ilubashe@akamai.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
linux-man@vger.kernel.org
Subject: Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability
Date: Mon, 13 Jul 2020 09:17:46 -0300 [thread overview]
Message-ID: <20200713121746.GA7029@kernel.org> (raw)
In-Reply-To: <0d2e2306-22b2-a730-dc3f-edb3538b6561@linux.intel.com>
Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu:
>
> On 10.07.2020 20:09, Arnaldo Carvalho de Melo wrote:
> > Em Fri, Jul 10, 2020 at 05:30:50PM +0300, Alexey Budankov escreveu:
> >> On 10.07.2020 16:31, Ravi Bangoria wrote:
> >>>> Currently access to perf_events, i915_perf and other performance
> >>>> monitoring and observability subsystems of the kernel is open only for
> >>>> a privileged process [1] with CAP_SYS_ADMIN capability enabled in the
> >>>> process effective set [2].
> >>>> This patch set introduces CAP_PERFMON capability designed to secure
> >>>> system performance monitoring and observability operations so that
> >>>> CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role
> >>>> for performance monitoring and observability subsystems of the kernel.
> >>> I'm seeing an issue with CAP_PERFMON when I try to record data for a
> >>> specific target. I don't know whether this is sort of a regression or
> >>> an expected behavior.
> >> Thanks for reporting and root causing this case. The behavior looks like
> >> kind of expected since currently CAP_PERFMON takes over the related part
> >> of CAP_SYS_ADMIN credentials only. Actually Perf security docs [1] say
> >> that access control is also subject to CAP_SYS_PTRACE credentials.
> > I think that stating that in the error message would be helpful, after
> > all, who reads docs? 8-)
> At least those who write it :D ...
Everybody should read it, sure :-)
> > I.e., this:
> >
> > $ ./perf stat ls
> > Error:
> > Access to performance monitoring and observability operations is limited.
> > $
> >
> > Could become:
> >
> > $ ./perf stat ls
> > Error:
> > Access to performance monitoring and observability operations is limited.
> > Right now only CAP_PERFMON is granted, you may need CAP_SYS_PTRACE.
> > $
>
> It would better provide reference to perf security docs in the tool output.
So add a 3rd line:
$ ./perf stat ls
Error:
Access to performance monitoring and observability operations is limited.
Right now only CAP_PERFMON is granted, you may need CAP_SYS_PTRACE.
Please read the 'Perf events and tool security' document:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
> Looks like extending ptrace_may_access() check for perf_events with CAP_PERFMON
You mean the following?
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 856d98c36f56..a2397f724c10 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11595,7 +11595,7 @@ SYSCALL_DEFINE5(perf_event_open,
* perf_event_exit_task() that could imply).
*/
err = -EACCES;
- if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
+ if (!perfmon_capable() && !ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
goto err_cred;
}
> makes monitoring simpler and even more secure to use since Perf tool need
> not to start/stop/single-step and read/write registers and memory and so on
> like a debugger or strace-like tool. What do you think?
I tend to agree, Peter?
> Alexei
>
> >
> > - Arnaldo
> >
> >> CAP_PERFMON could be used to extend and substitute ptrace_may_access()
> >> check in perf_events subsystem to simplify user experience at least in
> >> this specific case.
> >>
> >> Alexei
> >>
> >> [1] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
> >>
> >>>
> >>> Without setting CAP_PERFMON:
> >>>
> >>> $ getcap ./perf
> >>> $ ./perf stat -a ls
> >>> Error:
> >>> Access to performance monitoring and observability operations is limited.
> >>> $ ./perf stat ls
> >>> Performance counter stats for 'ls':
> >>> 2.06 msec task-clock:u # 0.418 CPUs utilized
> >>> 0 context-switches:u # 0.000 K/sec
> >>> 0 cpu-migrations:u # 0.000 K/sec
> >>>
> >>> With CAP_PERFMON:
> >>>
> >>> $ getcap ./perf
> >>> ./perf = cap_perfmon+ep
> >>> $ ./perf stat -a ls
> >>> Performance counter stats for 'system wide':
> >>> 142.42 msec cpu-clock # 25.062 CPUs utilized
> >>> 182 context-switches # 0.001 M/sec
> >>> 48 cpu-migrations # 0.337 K/sec
> >>> $ ./perf stat ls
> >>> Error:
> >>> Access to performance monitoring and observability operations is limited.
> >>>
> >>> Am I missing something silly?
> >>>
> >>> Analysis:
> >>> ---------
> >>> A bit more analysis lead me to below kernel code fs/exec.c:
> >>>
> >>> begin_new_exec()
> >>> {
> >>> ...
> >>> if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
> >>> !(uid_eq(current_euid(), current_uid()) &&
> >>> gid_eq(current_egid(), current_gid())))
> >>> set_dumpable(current->mm, suid_dumpable);
> >>> else
> >>> set_dumpable(current->mm, SUID_DUMP_USER);
> >>>
> >>> ...
> >>> commit_creds(bprm->cred);
> >>> }
> >>>
> >>> When I execute './perf stat ls', it's going into else condition and thus sets
> >>> dumpable flag as SUID_DUMP_USER. Then in commit_creds():
> >>>
> >>> int commit_creds(struct cred *new)
> >>> {
> >>> ...
> >>> /* dumpability changes */
> >>> if (...
> >>> !cred_cap_issubset(old, new)) {
> >>> if (task->mm)
> >>> set_dumpable(task->mm, suid_dumpable);
> >>> }
> >>>
> >>> !cred_cap_issubset(old, new) fails for perf without any capability and thus
> >>> it doesn't execute set_dumpable(). Whereas that condition passes for perf
> >>> with CAP_PERFMON and thus it overwrites old value (SUID_DUMP_USER) with
> >>> suid_dumpable in mm_flags. On an Ubuntu, suid_dumpable default value is
> >>> SUID_DUMP_ROOT. On Fedora, it's SUID_DUMP_DISABLE. (/proc/sys/fs/suid_dumpable).
> >>>
> >>> Now while opening an event:
> >>>
> >>> perf_event_open()
> >>> ptrace_may_access()
> >>> __ptrace_may_access() {
> >>> ...
> >>> if (mm &&
> >>> ((get_dumpable(mm) != SUID_DUMP_USER) &&
> >>> !ptrace_has_cap(cred, mm->user_ns, mode)))
> >>> return -EPERM;
> >>> }
> >>>
> >>> This if condition passes for perf with CAP_PERFMON and thus it returns -EPERM.
> >>> But it fails for perf without CAP_PERFMON and thus it goes ahead and returns
> >>> success. So opening an event fails when perf has CAP_PREFMON and tries to open
> >>> process specific event as normal user.
> >>>
> >>> Workarounds:
> >>> ------------
> >>> Based on above analysis, I found couple of workarounds (examples are on
> >>> Ubuntu 18.04.4 powerpc):
> >>>
> >>> Workaround1:
> >>> Setting SUID_DUMP_USER as default (in /proc/sys/fs/suid_dumpable) solves the
> >>> issue.
> >>>
> >>> # echo 1 > /proc/sys/fs/suid_dumpable
> >>> $ getcap ./perf
> >>> ./perf = cap_perfmon+ep
> >>> $ ./perf stat ls
> >>> Performance counter stats for 'ls':
> >>> 1.47 msec task-clock # 0.806 CPUs utilized
> >>> 0 context-switches # 0.000 K/sec
> >>> 0 cpu-migrations # 0.000 K/sec
> >>>
> >>> Workaround2:
> >>> Using CAP_SYS_PTRACE along with CAP_PERFMON solves the issue.
> >>>
> >>> $ cat /proc/sys/fs/suid_dumpable
> >>> 2
> >>> # setcap "cap_perfmon,cap_sys_ptrace=ep" ./perf
> >>> $ ./perf stat ls
> >>> Performance counter stats for 'ls':
> >>> 1.41 msec task-clock # 0.826 CPUs utilized
> >>> 0 context-switches # 0.000 K/sec
> >>> 0 cpu-migrations # 0.000 K/sec
> >>>
> >>> Workaround3:
> >>> Adding CAP_PERFMON to parent of perf (/bin/bash) also solves the issue.
> >>>
> >>> $ cat /proc/sys/fs/suid_dumpable
> >>> 2
> >>> # setcap "cap_perfmon=ep" /bin/bash
> >>> # setcap "cap_perfmon=ep" ./perf
> >>> $ bash
> >>> $ ./perf stat ls
> >>> Performance counter stats for 'ls':
> >>> 1.47 msec task-clock # 0.806 CPUs utilized
> >>> 0 context-switches # 0.000 K/sec
> >>> 0 cpu-migrations # 0.000 K/sec
> >>>
> >>> - Ravi
> >
--
- Arnaldo
next prev parent reply other threads:[~2020-07-13 12:17 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 8:42 [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability Alexey Budankov
2020-04-02 8:45 ` [PATCH v8 01/12] capabilities: introduce CAP_PERFMON to kernel and user space Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] capabilities: Introduce " tip-bot2 for Alexey Budankov
2020-04-02 8:46 ` [PATCH v8 02/12] perf/core: open access to the core for CAP_PERFMON privileged process Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] perf/core: Open " tip-bot2 for Alexey Budankov
2020-04-02 8:47 ` [PATCH v8 03/12] perf/core: open access to probes " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] " tip-bot2 for Alexey Budankov
2020-04-02 8:47 ` [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support Alexey Budankov
2020-04-03 11:08 ` Jiri Olsa
2020-04-03 13:08 ` Alexey Budankov
2020-04-04 2:18 ` Namhyung Kim
2020-04-04 8:18 ` Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] perf tools: Support CAP_PERFMON capability tip-bot2 for Alexey Budankov
2020-04-02 8:48 ` [PATCH v8 05/12] drm/i915/perf: open access for CAP_PERFMON privileged process Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] drm/i915/perf: Open " tip-bot2 for Alexey Budankov
2020-04-02 8:48 ` [PATCH v8 06/12] trace/bpf_trace: open " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] trace/bpf_trace: Open " tip-bot2 for Alexey Budankov
2020-04-02 8:49 ` [PATCH v8 07/12] powerpc/perf: open " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] " tip-bot2 for Alexey Budankov
2020-04-02 8:50 ` [PATCH v8 08/12] parisc/perf: " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] " tip-bot2 for Alexey Budankov
2020-04-02 8:51 ` [PATCH v8 09/12] drivers/perf: " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] drivers/perf: Open " tip-bot2 for Alexey Budankov
2020-04-02 8:53 ` [PATCH v8 10/12] drivers/oprofile: open " Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] drivers/oprofile: Open " tip-bot2 for Alexey Budankov
2020-04-02 8:54 ` [PATCH v8 11/12] doc/admin-guide: update perf-security.rst with CAP_PERFMON information Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] doc/admin-guide: Update " tip-bot2 for Alexey Budankov
2020-04-02 8:54 ` [PATCH v8 12/12] doc/admin-guide: update kernel.rst " Alexey Budankov
2020-04-05 14:10 ` Arnaldo Carvalho de Melo
2020-04-05 14:41 ` Alexey Budankov
2020-04-05 14:54 ` Alexey Budankov
2020-04-05 15:05 ` Arnaldo Carvalho de Melo
2020-04-05 15:51 ` Alexey Budankov
2020-04-22 12:17 ` [tip: perf/core] " tip-bot2 for Alexey Budankov
2020-04-07 14:30 ` [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability Arnaldo Carvalho de Melo
2020-04-07 14:35 ` Arnaldo Carvalho de Melo
2020-04-07 14:54 ` Alexey Budankov
2020-04-07 16:36 ` Arnaldo Carvalho de Melo
2020-04-07 16:40 ` Arnaldo Carvalho de Melo
2020-04-07 17:17 ` Alexey Budankov
2020-04-07 16:52 ` Alexey Budankov
2020-04-07 17:02 ` Arnaldo Carvalho de Melo
2020-04-07 17:32 ` Alexey Budankov
2020-04-07 16:56 ` Arnaldo Carvalho de Melo
2020-04-07 17:23 ` Arnaldo Carvalho de Melo
2020-07-10 13:31 ` Ravi Bangoria
2020-07-10 14:30 ` Alexey Budankov
2020-07-10 17:09 ` Arnaldo Carvalho de Melo
2020-07-13 9:48 ` Alexey Budankov
2020-07-13 12:17 ` Arnaldo Carvalho de Melo [this message]
2020-07-13 12:37 ` Alexey Budankov
2020-07-13 18:51 ` Arnaldo Carvalho de Melo
2020-07-14 10:59 ` Peter Zijlstra
2020-07-14 15:27 ` Arnaldo Carvalho de Melo
2020-07-21 13:06 ` Alexey Budankov
2020-07-22 11:30 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200713121746.GA7029@kernel.org \
--to=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=alexey.budankov@linux.intel.com \
--cc=ast@kernel.org \
--cc=eranian@google.com \
--cc=ilubashe@akamai.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jmorris@namei.org \
--cc=jolsa@redhat.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=ravi.bangoria@linux.ibm.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).