From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Robert Richter <rric@kernel.org>,
Alexei Starovoitov <ast@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Igor Lubashev <ilubashe@akamai.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Song Liu <songliubraving@fb.com>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
linux-arm-kernel@lists.infradead.org,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
oprofile-list@lists.sf.net
Subject: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
Date: Mon, 20 Jan 2020 14:23:00 +0300 [thread overview]
Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> (raw)
In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com>
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 12 ++++++++++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = &init_user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Robert Richter <rric@kernel.org>,
Alexei Starovoitov <ast@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Igor Lubashev <ilubashe@akamai.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Song Liu <songliubraving@fb.com>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
Date: Mon, 20 Jan 2020 14:23:00 +0300 [thread overview]
Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> (raw)
In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com>
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 12 ++++++++++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = &init_user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Robert Richter <rric@kernel.org>,
Alexei Starovoitov <ast@kernel.org>
Cc: Song Liu <songliubraving@fb.com>, Andi Kleen <ak@linux.intel.com>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Igor Lubashev <ilubashe@akamai.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
Stephane Eranian <eranian@google.com>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
oprofile-list@lists.sf.net,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Jiri Olsa <jolsa@redhat.com>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
Date: Mon, 20 Jan 2020 14:23:00 +0300 [thread overview]
Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> (raw)
In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com>
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 12 ++++++++++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = &init_user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Robert Richter <rric@kernel.org>,
Alexei Starovoitov <ast@kernel.org>
Cc: Song Liu <songliubraving@fb.com>, Andi Kleen <ak@linux.intel.com>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Igor Lubashev <ilubashe@akamai.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
Stephane Eranian <eranian@google.com>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
oprofile-list@lists.sf.net,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Jiri Olsa <jolsa@redhat.com>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
Date: Mon, 20 Jan 2020 14:23:00 +0300 [thread overview]
Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> (raw)
In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com>
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 12 ++++++++++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = &init_user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Robert Richter <rric@kernel.org>,
Alexei Starovoitov <ast@kernel.org>
Cc: Song Liu <songliubraving@fb.com>, Andi Kleen <ak@linux.intel.com>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Igor Lubashev <ilubashe@akamai.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
Stephane Eranian <eranian@google.com>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
oprofile-list@lists.sf.net, Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Jiri Olsa <jolsa@redhat.com>,
linux-arm-kernel@lists.infradead.org
Subject: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
Date: Mon, 20 Jan 2020 14:23:00 +0300 [thread overview]
Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> (raw)
In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com>
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 12 ++++++++++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = &init_user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2020-01-20 11:23 UTC|newest]
Thread overview: 163+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 11:18 [PATCH v5 0/10] Introduce CAP_PERFMON to secure system performance monitoring and observability Alexey Budankov
2020-01-20 11:18 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:18 ` Alexey Budankov
2020-01-20 11:18 ` Alexey Budankov
2020-01-20 11:18 ` Alexey Budankov
2020-01-20 11:23 ` Alexey Budankov [this message]
2020-01-20 11:23 ` [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space Alexey Budankov
2020-01-20 11:23 ` Alexey Budankov
2020-01-20 11:23 ` Alexey Budankov
2020-01-20 11:23 ` Alexey Budankov
2020-01-21 14:43 ` Stephen Smalley
2020-01-21 14:43 ` [Intel-gfx] " Stephen Smalley
2020-01-21 14:43 ` Stephen Smalley
2020-01-21 14:43 ` Stephen Smalley
2020-01-21 14:43 ` Stephen Smalley
2020-01-21 17:30 ` Alexey Budankov
2020-01-21 17:30 ` [Intel-gfx] " Alexey Budankov
2020-01-21 17:30 ` Alexey Budankov
2020-01-21 17:30 ` Alexey Budankov
2020-01-21 17:30 ` Alexey Budankov
2020-01-21 17:55 ` Alexei Starovoitov
2020-01-21 17:55 ` [Intel-gfx] " Alexei Starovoitov
2020-01-21 17:55 ` Alexei Starovoitov
2020-01-21 17:55 ` Alexei Starovoitov
2020-01-21 17:55 ` Alexei Starovoitov
2020-01-21 18:27 ` Alexey Budankov
2020-01-21 18:27 ` [Intel-gfx] " Alexey Budankov
2020-01-21 18:27 ` Alexey Budankov
2020-01-21 18:27 ` Alexey Budankov
2020-01-21 18:27 ` Alexey Budankov
2020-01-22 10:45 ` Alexey Budankov
2020-01-22 10:45 ` [Intel-gfx] " Alexey Budankov
2020-01-22 10:45 ` Alexey Budankov
2020-01-22 10:45 ` Alexey Budankov
2020-01-22 10:45 ` Alexey Budankov
2020-01-22 14:07 ` Stephen Smalley
2020-01-22 14:07 ` [Intel-gfx] " Stephen Smalley
2020-01-22 14:07 ` Stephen Smalley
2020-01-22 14:07 ` Stephen Smalley
2020-01-22 14:07 ` Stephen Smalley
2020-01-22 14:25 ` Alexey Budankov
2020-01-22 14:25 ` [Intel-gfx] " Alexey Budankov
2020-01-22 14:25 ` Alexey Budankov
2020-01-22 14:25 ` Alexey Budankov
2020-01-22 14:25 ` Alexey Budankov
2020-02-06 18:03 ` Alexey Budankov
2020-02-06 18:03 ` [Intel-gfx] " Alexey Budankov
2020-02-06 18:03 ` Alexey Budankov
2020-02-06 18:03 ` Alexey Budankov
2020-02-06 18:03 ` Alexey Budankov
2020-02-07 11:38 ` Thomas Gleixner
2020-02-07 11:38 ` [Intel-gfx] " Thomas Gleixner
2020-02-07 11:38 ` Thomas Gleixner
2020-02-07 11:38 ` Thomas Gleixner
2020-02-07 11:38 ` Thomas Gleixner
2020-02-07 13:39 ` Alexey Budankov
2020-02-07 13:39 ` [Intel-gfx] " Alexey Budankov
2020-02-07 13:39 ` Alexey Budankov
2020-02-07 13:39 ` Alexey Budankov
2020-02-07 13:39 ` Alexey Budankov
2020-02-20 13:05 ` Alexey Budankov
2020-02-20 13:05 ` [Intel-gfx] " Alexey Budankov
2020-02-20 13:05 ` Alexey Budankov
2020-02-20 13:05 ` Alexey Budankov
2020-02-20 13:05 ` Alexey Budankov
2020-02-12 8:53 ` Alexey Budankov
2020-02-12 8:53 ` [Intel-gfx] " Alexey Budankov
2020-02-12 8:53 ` Alexey Budankov
2020-02-12 8:53 ` Alexey Budankov
2020-02-12 8:53 ` Alexey Budankov
2020-02-12 13:32 ` Stephen Smalley
2020-02-12 13:32 ` [Intel-gfx] " Stephen Smalley
2020-02-12 13:32 ` Stephen Smalley
2020-02-12 13:32 ` Stephen Smalley
2020-02-12 13:32 ` Stephen Smalley
2020-02-12 13:53 ` Alexey Budankov
2020-02-12 13:53 ` [Intel-gfx] " Alexey Budankov
2020-02-12 13:53 ` Alexey Budankov
2020-02-12 13:53 ` Alexey Budankov
2020-02-12 13:53 ` Alexey Budankov
2020-02-12 15:21 ` Stephen Smalley
2020-02-12 15:21 ` [Intel-gfx] " Stephen Smalley
2020-02-12 15:21 ` Stephen Smalley
2020-02-12 15:21 ` Stephen Smalley
2020-02-12 15:21 ` Stephen Smalley
2020-02-12 15:45 ` Stephen Smalley
2020-02-12 15:45 ` [Intel-gfx] " Stephen Smalley
2020-02-12 15:45 ` Stephen Smalley
2020-02-12 15:45 ` Stephen Smalley
2020-02-12 15:45 ` Stephen Smalley
2020-02-12 16:56 ` Alexey Budankov
2020-02-12 16:56 ` [Intel-gfx] " Alexey Budankov
2020-02-12 16:56 ` Alexey Budankov
2020-02-12 16:56 ` Alexey Budankov
2020-02-12 16:56 ` Alexey Budankov
2020-02-12 17:09 ` Stephen Smalley
2020-02-12 17:09 ` [Intel-gfx] " Stephen Smalley
2020-02-12 17:09 ` Stephen Smalley
2020-02-12 17:09 ` Stephen Smalley
2020-02-12 17:09 ` Stephen Smalley
2020-02-13 9:05 ` Alexey Budankov
2020-02-13 9:05 ` [Intel-gfx] " Alexey Budankov
2020-02-13 9:05 ` Alexey Budankov
2020-02-13 9:05 ` Alexey Budankov
2020-02-13 9:05 ` Alexey Budankov
2020-02-12 16:16 ` Alexey Budankov
2020-02-12 16:16 ` [Intel-gfx] " Alexey Budankov
2020-02-12 16:16 ` Alexey Budankov
2020-02-12 16:16 ` Alexey Budankov
2020-02-12 16:16 ` Alexey Budankov
2020-01-20 11:24 ` [PATCH v5 02/10] perf/core: open access to the core for CAP_PERFMON privileged process Alexey Budankov
2020-01-20 11:24 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:24 ` Alexey Budankov
2020-01-20 11:24 ` Alexey Budankov
2020-01-20 11:24 ` Alexey Budankov
2020-01-20 11:26 ` [PATCH v5 03/10] perf/core: open access to anon probes " Alexey Budankov
2020-01-20 11:26 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:26 ` Alexey Budankov
2020-01-20 11:26 ` Alexey Budankov
2020-01-20 11:26 ` Alexey Budankov
2020-01-20 11:27 ` [PATCH v5 04/10] perf tool: extend Perf tool with CAP_PERFMON capability support Alexey Budankov
2020-01-20 11:27 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:27 ` Alexey Budankov
2020-01-20 11:27 ` Alexey Budankov
2020-01-20 11:27 ` Alexey Budankov
2020-01-20 11:28 ` [PATCH v5 05/10] drm/i915/perf: open access for CAP_PERFMON privileged process Alexey Budankov
2020-01-20 11:28 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:28 ` Alexey Budankov
2020-01-20 11:28 ` Alexey Budankov
2020-01-20 11:28 ` Alexey Budankov
2020-01-20 11:29 ` [PATCH v5 06/10] trace/bpf_trace: " Alexey Budankov
2020-01-20 11:29 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:29 ` Alexey Budankov
2020-01-20 11:29 ` Alexey Budankov
2020-01-20 11:29 ` Alexey Budankov
2020-01-20 11:30 ` [PATCH v5 07/10] powerpc/perf: " Alexey Budankov
2020-01-20 11:30 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:30 ` Alexey Budankov
2020-01-20 11:30 ` Alexey Budankov
2020-01-20 11:30 ` Alexey Budankov
2020-01-22 11:02 ` Anju T Sudhakar
2020-01-22 11:02 ` [Intel-gfx] " Anju T Sudhakar
2020-01-22 11:02 ` Anju T Sudhakar
2020-01-22 11:02 ` Anju T Sudhakar
2020-01-22 11:02 ` Anju T Sudhakar
2020-01-20 11:31 ` [PATCH v5 08/10] parisc/perf: " Alexey Budankov
2020-01-20 11:31 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:31 ` Alexey Budankov
2020-01-20 11:31 ` Alexey Budankov
2020-01-20 11:31 ` Alexey Budankov
2020-01-20 11:32 ` [PATCH v5 09/10] drivers/perf: " Alexey Budankov
2020-01-20 11:32 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:32 ` Alexey Budankov
2020-01-20 11:32 ` Alexey Budankov
2020-01-20 11:32 ` Alexey Budankov
2020-01-20 11:33 ` [PATCH v5 10/10] drivers/oprofile: " Alexey Budankov
2020-01-20 11:33 ` [Intel-gfx] " Alexey Budankov
2020-01-20 11:33 ` Alexey Budankov
2020-01-20 11:33 ` Alexey Budankov
2020-01-20 11:33 ` Alexey Budankov
2020-01-20 16:50 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for Introduce CAP_PERFMON to secure system performance monitoring and observability Patchwork
2020-01-21 0:15 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2020-01-21 11:00 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com \
--to=alexey.budankov@linux.intel.com \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=ast@kernel.org \
--cc=benh@kernel.crashing.org \
--cc=eranian@google.com \
--cc=ilubashe@akamai.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=james.bottomley@hansenpartnership.com \
--cc=jani.nikula@linux.intel.com \
--cc=jmorris@namei.org \
--cc=jolsa@redhat.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lionel.g.landwerlin@intel.com \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=namhyung@kernel.org \
--cc=oprofile-list@lists.sf.net \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=rodrigo.vivi@intel.com \
--cc=rric@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.