From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF4A6C35DF5 for ; Tue, 25 Feb 2020 09:58:13 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BDDF621744 for ; Tue, 25 Feb 2020 09:58:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="L8uqlMnL" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BDDF621744 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date: Message-ID:References:To:Subject:From:Reply-To:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Ag1tLg1o50AQCT6syHKh/T+dCVFPWofa0fu5Rvr3ofk=; b=L8uqlMnLuMudYP gf01IoMzPbqZyz3uYJUhQZTnRehXLXfMxyQwsqgv0QP4SdHp9Nl9s3iUl3wLCqPgVnR7cFq5nzdKr IMHwM+cdmyo6GMJ2R1axe47HU1Xu2GER2PzTpVdX2HNlLEApBUqNoCQ8ui3LHADxuR7kbSree5E3v Wbwe5/H01qhr65PRwU1doYxXOoQrNjPn2AdFHZ9yQu9KQxhmiZsEy9PtfmLf5e3uX66/7vLU2NPhg UA7v+OuLWYqRxfR/eO25zdFHhIgXs2oOLWIRK9sC9U+kjQYa1rdXNGDpbGtn7RGVp42O1yhtPR1/n HVB3wKCw+/P7d9K7Urxg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6Wye-0000WX-33; Tue, 25 Feb 2020 09:58:08 +0000 Received: from mga02.intel.com ([134.134.136.20]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6WyZ-0000CB-TR for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 09:58:05 +0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Feb 2020 01:56:01 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,483,1574150400"; d="scan'208";a="317039975" Received: from linux.intel.com ([10.54.29.200]) by orsmga001.jf.intel.com with ESMTP; 25 Feb 2020 01:56:01 -0800 Received: from [10.125.253.45] (abudanko-mobl.ccr.corp.intel.com [10.125.253.45]) by linux.intel.com (Postfix) with ESMTP id 3429A58052E; Tue, 25 Feb 2020 01:55:54 -0800 (PST) From: Alexey Budankov Subject: Re: [PATCH v7 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability To: James Morris , Serge Hallyn , Stephen Smalley , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "joonas.lahtinen@linux.intel.com" , Alexei Starovoitov , Will Deacon , Paul Mackerras , Helge Deller , Thomas Gleixner References: Organization: Intel Corp. Message-ID: <3ae0bed5-204e-de81-7647-5f0d8106cd67@linux.intel.com> Date: Tue, 25 Feb 2020 12:55:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200225_015804_001123_00B44A6C X-CRM114-Status: GOOD ( 30.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-man@vger.kernel.org, Andi Kleen , "linux-parisc@vger.kernel.org" , "linux-doc@vger.kernel.org" , "selinux@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , "intel-gfx@lists.freedesktop.org" , Igor Lubashev , linux-kernel , Stephane Eranian , "linux-security-module@vger.kernel.org" , oprofile-list@lists.sf.net, Jiri Olsa , linux-arm-kernel Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, Is there anything else I could do in order to move the changes forward or is something still missing from this patch set? Could you please share you mind? Thanks, Alexey On 17.02.2020 11:02, Alexey Budankov wrote: > > Currently access to perf_events, i915_perf and other performance > monitoring and observability subsystems of the kernel is open only for > a privileged process [1] with CAP_SYS_ADMIN capability enabled in the > process effective set [2]. > > This patch set introduces CAP_PERFMON capability designed to secure > system performance monitoring and observability operations so that > CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role > for performance monitoring and observability subsystems of the kernel. > > CAP_PERFMON intends to harden system security and integrity during > performance monitoring and observability operations by decreasing attack > surface that is available to a CAP_SYS_ADMIN privileged process [2]. > Providing the access to performance monitoring and observability > operations under CAP_PERFMON capability singly, without the rest of > CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials > and makes the operation more secure. Thus, CAP_PERFMON implements the > principal of least privilege for performance monitoring and > observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of > least privilege: A security design principle that states that a process > or program be granted only those privileges (e.g., capabilities) > necessary to accomplish its legitimate function, and only for the time > that such privileges are actually required) > > CAP_PERFMON intends to meet the demand to secure system performance > monitoring and observability operations for adoption in security > sensitive, restricted, multiuser production environments (e.g. HPC > clusters, cloud and virtual compute environments), where root or > CAP_SYS_ADMIN credentials are not available to mass users of a system, > and securely unblock accessibility of system performance monitoring and > observability operations beyond root and CAP_SYS_ADMIN use cases. > > CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to > system performance monitoring and observability operations and balance > amount of CAP_SYS_ADMIN credentials following the recommendations in > the capabilities man page [2] for CAP_SYS_ADMIN: "Note: this capability > is overloaded; see Notes to kernel developers, below." For backward > compatibility reasons access to system performance monitoring and > observability subsystems of the kernel remains open for CAP_SYS_ADMIN > privileged processes but CAP_SYS_ADMIN capability usage for secure > system performance monitoring and observability operations is > discouraged with respect to the designed CAP_PERFMON capability. > > Possible alternative solution to this system security hardening, > capabilities balancing task of making performance monitoring and > observability operations more secure and accessible could be to use > the existing CAP_SYS_PTRACE capability to govern system performance > monitoring and observability subsystems. However CAP_SYS_PTRACE > capability still provides users with more credentials than are > required for secure performance monitoring and observability > operations and this excess is avoided by the designed CAP_PERFMON. > > Although software running under CAP_PERFMON can not ensure avoidance of > related hardware issues, the software can still mitigate those issues > following the official hardware issues mitigation procedure [3]. The > bugs in the software itself can be fixed following the standard kernel > development process [4] to maintain and harden security of system > performance monitoring and observability operations. Finally, the patch > set is shaped in the way that simplifies backtracking procedure of > possible induced issues [5] as much as possible. > > The patch set is for tip perf/core repository: > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip perf/core > sha1: fdb64822443ec9fb8c3a74b598a74790ae8d2e22 > > --- > Changes in v7: > - updated and extended kernel.rst and perf-security.rst documentation > files with the information about CAP_PERFMON capability and its use cases > - documented the case of double audit logging of CAP_PERFMON and CAP_SYS_ADMIN > capabilities on a SELinux enabled system > Changes in v6: > - avoided noaudit checks in perfmon_capable() to explicitly advertise > CAP_PERFMON usage thru audit logs to secure system performance > monitoring and observability > Changes in v5: > - renamed CAP_SYS_PERFMON to CAP_PERFMON > - extended perfmon_capable() with noaudit checks > Changes in v4: > - converted perfmon_capable() into an inline function > - made perf_events kprobes, uprobes, hw breakpoints and namespaces data > available to CAP_SYS_PERFMON privileged processes > - applied perfmon_capable() to drivers/perf and drivers/oprofile > - extended __cmd_ftrace() with support of CAP_SYS_PERFMON > Changes in v3: > - implemented perfmon_capable() macros aggregating required capabilities > checks > Changes in v2: > - made perf_events trace points available to CAP_SYS_PERFMON privileged > processes > - made perf_event_paranoid_check() treat CAP_SYS_PERFMON equally to > CAP_SYS_ADMIN > - applied CAP_SYS_PERFMON to i915_perf, bpf_trace, powerpc and parisc > system performance monitoring and observability related subsystems > > --- > Alexey Budankov (12): > capabilities: introduce CAP_PERFMON to kernel and user space > perf/core: open access to the core for CAP_PERFMON privileged process > perf/core: open access to probes for CAP_PERFMON privileged process > perf tool: extend Perf tool with CAP_PERFMON capability support > drm/i915/perf: open access for CAP_PERFMON privileged process > trace/bpf_trace: open access for CAP_PERFMON privileged process > powerpc/perf: open access for CAP_PERFMON privileged process > parisc/perf: open access for CAP_PERFMON privileged process > drivers/perf: open access for CAP_PERFMON privileged process > drivers/oprofile: open access for CAP_PERFMON privileged process > doc/admin-guide: update perf-security.rst with CAP_PERFMON information > doc/admin-guide: update kernel.rst with CAP_PERFMON information > > Documentation/admin-guide/perf-security.rst | 65 +++++++++++++-------- > Documentation/admin-guide/sysctl/kernel.rst | 16 +++-- > arch/parisc/kernel/perf.c | 2 +- > arch/powerpc/perf/imc-pmu.c | 4 +- > drivers/gpu/drm/i915/i915_perf.c | 13 ++--- > drivers/oprofile/event_buffer.c | 2 +- > drivers/perf/arm_spe_pmu.c | 4 +- > include/linux/capability.h | 4 ++ > include/linux/perf_event.h | 6 +- > include/uapi/linux/capability.h | 8 ++- > kernel/events/core.c | 6 +- > kernel/trace/bpf_trace.c | 2 +- > security/selinux/include/classmap.h | 4 +- > tools/perf/builtin-ftrace.c | 5 +- > tools/perf/design.txt | 3 +- > tools/perf/util/cap.h | 4 ++ > tools/perf/util/evsel.c | 10 ++-- > tools/perf/util/util.c | 1 + > 18 files changed, 98 insertions(+), 61 deletions(-) > > --- > Validation (Intel Skylake, 8 cores, Fedora 29, 5.5.0-rc3+, x86_64): > > libcap library [6], [7], [8] and Perf tool can be used to apply > CAP_PERFMON capability for secure system performance monitoring and > observability beyond the scope permitted by the system wide > perf_event_paranoid kernel setting [9] and below are the steps for > evaluation: > > - patch, build and boot the kernel > - patch, build Perf tool e.g. to /home/user/perf > ... > # git clone git://git.kernel.org/pub/scm/libs/libcap/libcap.git libcap > # pushd libcap > # patch libcap/include/uapi/linux/capabilities.h with [PATCH 1] > # make > # pushd progs > # ./setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" /home/user/perf > # ./setcap -v "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" /home/user/perf > /home/user/perf: OK > # ./getcap /home/user/perf > /home/user/perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep > # echo 2 > /proc/sys/kernel/perf_event_paranoid > # cat /proc/sys/kernel/perf_event_paranoid > 2 > ... > $ /home/user/perf top > ... works as expected ... > $ cat /proc/`pidof perf`/status > Name: perf > Umask: 0002 > State: S (sleeping) > Tgid: 2958 > Ngid: 0 > Pid: 2958 > PPid: 9847 > TracerPid: 0 > Uid: 500 500 500 500 > Gid: 500 500 500 500 > FDSize: 256 > ... > CapInh: 0000000000000000 > CapPrm: 0000004400080000 > CapEff: 0000004400080000 => 01000100 00000000 00001000 00000000 00000000 > cap_perfmon,cap_sys_ptrace,cap_syslog > CapBnd: 0000007fffffffff > CapAmb: 0000000000000000 > NoNewPrivs: 0 > Seccomp: 0 > Speculation_Store_Bypass: thread vulnerable > Cpus_allowed: ff > Cpus_allowed_list: 0-7 > ... > > Usage of cap_perfmon effectively avoids unused credentials excess: > > - with cap_sys_admin: > CapEff: 0000007fffffffff => 01111111 11111111 11111111 11111111 11111111 > > - with cap_perfmon: > CapEff: 0000004400080000 => 01000100 00000000 00001000 00000000 00000000 > 38 34 19 > perfmon syslog sys_ptrace > > --- > [1] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html > [2] http://man7.org/linux/man-pages/man7/capabilities.7.html > [3] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html > [4] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html > [5] https://www.kernel.org/doc/html/latest/process/management-style.html#decisions > [6] http://man7.org/linux/man-pages/man8/setcap.8.html > [7] https://git.kernel.org/pub/scm/libs/libcap/libcap.git > [8] https://sites.google.com/site/fullycapable/, posix_1003.1e-990310.pdf > [9] http://man7.org/linux/man-pages/man2/perf_event_open.2.html > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel