* [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
@ 2019-12-16 19:58 ` Alexey Budankov
2019-12-17 15:02 ` Stephen Smalley
2019-12-16 19:59 ` [PATCH v3 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
` (5 subsequent siblings)
6 siblings, 1 reply; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 19:58 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability so that CAP_SYS_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability by decreasing attack surface
that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability and balance amount of
CAP_SYS_ADMIN credentials in accordance with the recommendations provided
in the man page for CAP_SYS_ADMIN [1]: "Note: this capability is overloaded;
see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 1 +
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..6342502c4c2a 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,7 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+#define perfmon_capable() (capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
2019-12-16 19:58 ` [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
@ 2019-12-17 15:02 ` Stephen Smalley
0 siblings, 0 replies; 11+ messages in thread
From: Stephen Smalley @ 2019-12-17 15:02 UTC (permalink / raw)
To: Alexey Budankov, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, Benjamin Herrenschmidt, Paul Mackerras,
Michael Ellerman, Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
On 12/16/19 2:58 PM, Alexey Budankov wrote:
>
> Introduce CAP_SYS_PERFMON capability devoted to secure system performance
> monitoring and observability so that CAP_SYS_PERFMON would assist
> CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
> and other subsystems of the kernel.
>
> CAP_SYS_PERFMON intends to harden system security and integrity during
> system performance monitoring and observability by decreasing attack surface
> that is available to CAP_SYS_ADMIN privileged processes.
>
> CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
> system performance monitoring and observability and balance amount of
> CAP_SYS_ADMIN credentials in accordance with the recommendations provided
> in the man page for CAP_SYS_ADMIN [1]: "Note: this capability is overloaded;
> see Notes to kernel developers, below."
>
> [1] http://man7.org/linux/man-pages/man7/capabilities.7.html
>
> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
> ---
> include/linux/capability.h | 1 +
> include/uapi/linux/capability.h | 8 +++++++-
> security/selinux/include/classmap.h | 4 ++--
> 3 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index ecce0f43c73a..6342502c4c2a 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -251,6 +251,7 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
> extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
> extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
> extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
> +#define perfmon_capable() (capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))
I think making it a static inline bool function instead of a macro would
be preferred?
Otherwise,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> /* audit system wants to get cap info from files as well */
> extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 240fdb9a60f6..98e03cc76c7c 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
>
> #define CAP_AUDIT_READ 37
>
> +/*
> + * Allow system performance and observability privileged operations
> + * using perf_events, i915_perf and other kernel subsystems
> + */
> +
> +#define CAP_SYS_PERFMON 38
>
> -#define CAP_LAST_CAP CAP_AUDIT_READ
> +#define CAP_LAST_CAP CAP_SYS_PERFMON
>
> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 7db24855e12d..bae602c623b0 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -27,9 +27,9 @@
> "audit_control", "setfcap"
>
> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
> - "wake_alarm", "block_suspend", "audit_read"
> + "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
>
> -#if CAP_LAST_CAP > CAP_AUDIT_READ
> +#if CAP_LAST_CAP > CAP_SYS_PERFMON
> #error New capability defined, please update COMMON_CAP2_PERMS.
> #endif
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v3 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
2019-12-16 19:58 ` [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
@ 2019-12-16 19:59 ` Alexey Budankov
2019-12-16 20:00 ` [PATCH v3 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support Alexey Budankov
` (4 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 19:59 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Open access to perf_events monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to perf_events subsystem remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
perf_events monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/perf_event.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 34c7c6910026..f46acd69425f 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1285,7 +1285,7 @@ static inline int perf_is_paranoid(void)
static inline int perf_allow_kernel(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > 1 && !perfmon_capable())
return -EACCES;
return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
@@ -1293,7 +1293,7 @@ static inline int perf_allow_kernel(struct perf_event_attr *attr)
static inline int perf_allow_cpu(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
return -EACCES;
return security_perf_event_open(attr, PERF_SECURITY_CPU);
@@ -1301,7 +1301,7 @@ static inline int perf_allow_cpu(struct perf_event_attr *attr)
static inline int perf_allow_tracepoint(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
return -EPERM;
return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
2019-12-16 19:58 ` [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
2019-12-16 19:59 ` [PATCH v3 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-16 20:00 ` Alexey Budankov
2019-12-16 20:03 ` [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 20:00 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Extend error messages to mention CAP_SYS_PERFMON capability as an option
to substitute CAP_SYS_ADMIN capability for secure system performance
monitoring and observability. Make perf_event_paranoid_check() to be aware
of CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
tools/perf/design.txt | 3 ++-
tools/perf/util/cap.h | 4 ++++
tools/perf/util/evsel.c | 10 +++++-----
tools/perf/util/util.c | 1 +
4 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/perf/design.txt b/tools/perf/design.txt
index 0453ba26cdbd..71755b3e1303 100644
--- a/tools/perf/design.txt
+++ b/tools/perf/design.txt
@@ -258,7 +258,8 @@ gets schedule to. Per task counters can be created by any user, for
their own tasks.
A 'pid == -1' and 'cpu == x' counter is a per CPU counter that counts
-all events on CPU-x. Per CPU counters need CAP_SYS_ADMIN privilege.
+all events on CPU-x. Per CPU counters need CAP_SYS_PERFMON or
+CAP_SYS_ADMIN privilege.
The 'flags' parameter is currently unused and must be zero.
diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h
index 051dc590ceee..0f79fbf6638b 100644
--- a/tools/perf/util/cap.h
+++ b/tools/perf/util/cap.h
@@ -29,4 +29,8 @@ static inline bool perf_cap__capable(int cap __maybe_unused)
#define CAP_SYSLOG 34
#endif
+#ifndef CAP_SYS_PERFMON
+#define CAP_SYS_PERFMON 38
+#endif
+
#endif /* __PERF_CAP_H */
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index f4dea055b080..3a46325e3702 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2468,14 +2468,14 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target,
"You may not have permission to collect %sstats.\n\n"
"Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
"which controls use of the performance events system by\n"
- "unprivileged users (without CAP_SYS_ADMIN).\n\n"
+ "unprivileged users (without CAP_SYS_PERFMON or CAP_SYS_ADMIN).\n\n"
"The current value is %d:\n\n"
" -1: Allow use of (almost) all events by all users\n"
" Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n"
- ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN\n"
- " Disallow raw tracepoint access by users without CAP_SYS_ADMIN\n"
- ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
- ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN\n\n"
+ ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ ">= 1: Disallow CPU event access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ ">= 2: Disallow kernel profiling by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n\n"
"To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n"
" kernel.perf_event_paranoid = -1\n" ,
target->system_wide ? "system-wide " : "",
diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 969ae560dad9..9981db0d8d09 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -272,6 +272,7 @@ int perf_event_paranoid(void)
bool perf_event_paranoid_check(int max_level)
{
return perf_cap__capable(CAP_SYS_ADMIN) ||
+ perf_cap__capable(CAP_SYS_PERFMON) ||
perf_event_paranoid() <= max_level;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (2 preceding siblings ...)
2019-12-16 20:00 ` [PATCH v3 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support Alexey Budankov
@ 2019-12-16 20:03 ` Alexey Budankov
2019-12-17 9:45 ` [Intel-gfx] " Lionel Landwerlin
2019-12-16 20:03 ` [PATCH v3 5/7] trace/bpf_trace: " Alexey Budankov
` (2 subsequent siblings)
6 siblings, 1 reply; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 20:03 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Open access to i915_perf monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to i915_perf subsystem remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
i915_perf monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
drivers/gpu/drm/i915/i915_perf.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
index e42b86827d6b..e2697f8d04de 100644
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -2748,10 +2748,10 @@ i915_perf_open_ioctl_locked(struct drm_i915_private *dev_priv,
/* Similar to perf's kernel.perf_paranoid_cpu sysctl option
* we check a dev.i915.perf_stream_paranoid sysctl option
* to determine if it's ok to access system wide OA counters
- * without CAP_SYS_ADMIN privileges.
+ * without CAP_SYS_PERFMON or CAP_SYS_ADMIN privileges.
*/
if (privileged_op &&
- i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ i915_perf_stream_paranoid && !perfmon_capable()) {
DRM_DEBUG("Insufficient privileges to open system-wide i915 perf stream\n");
ret = -EACCES;
goto err_ctx;
@@ -2939,9 +2939,8 @@ static int read_properties_unlocked(struct drm_i915_private *dev_priv,
} else
oa_freq_hz = 0;
- if (oa_freq_hz > i915_oa_max_sample_rate &&
- !capable(CAP_SYS_ADMIN)) {
- DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without root privileges\n",
+ if (oa_freq_hz > i915_oa_max_sample_rate && !perfmon_capable()) {
+ DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without CAP_SYS_PERFMON or CAP_SYS_ADMIN privileges\n",
i915_oa_max_sample_rate);
return -EACCES;
}
@@ -3328,7 +3327,7 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data,
return -EINVAL;
}
- if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ if (i915_perf_stream_paranoid && !perfmon_capable()) {
DRM_DEBUG("Insufficient privileges to add i915 OA config\n");
return -EACCES;
}
@@ -3474,7 +3473,7 @@ int i915_perf_remove_config_ioctl(struct drm_device *dev, void *data,
return -ENOTSUPP;
}
- if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ if (i915_perf_stream_paranoid && !perfmon_capable()) {
DRM_DEBUG("Insufficient privileges to remove i915 OA config\n");
return -EACCES;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Intel-gfx] [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 20:03 ` [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-17 9:45 ` Lionel Landwerlin
2019-12-17 11:38 ` Alexey Budankov
0 siblings, 1 reply; 11+ messages in thread
From: Lionel Landwerlin @ 2019-12-17 9:45 UTC (permalink / raw)
To: Alexey Budankov, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, Benjamin Herrenschmidt, Paul Mackerras,
Michael Ellerman, Serge Hallyn, James Morris, Casey Schaufler
Cc: songliubraving, Andi Kleen, Kees Cook, linux-parisc, Jann Horn,
Alexander Shishkin, linuxppc-dev, intel-gfx, Igor Lubashev,
linux-kernel, Stephane Eranian, linux-perf-users, selinux,
linux-security-module, Namhyung Kim, Thomas Gleixner,
Brendan Gregg, Jiri Olsa, bpf
On 16/12/2019 22:03, Alexey Budankov wrote:
> Open access to i915_perf monitoring for CAP_SYS_PERFMON privileged processes.
> For backward compatibility reasons access to i915_perf subsystem remains open
> for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
> i915_perf monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
>
> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Assuming people are fine with this new cap, I like this idea of a
lighter privilege for i915-perf.
-Lionel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Intel-gfx] [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-17 9:45 ` [Intel-gfx] " Lionel Landwerlin
@ 2019-12-17 11:38 ` Alexey Budankov
0 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-17 11:38 UTC (permalink / raw)
To: Lionel Landwerlin, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, Benjamin Herrenschmidt, Paul Mackerras,
Michael Ellerman, Serge Hallyn, James Morris, Casey Schaufler
Cc: songliubraving, Andi Kleen, Kees Cook, linux-parisc, Jann Horn,
Alexander Shishkin, linuxppc-dev, intel-gfx, Igor Lubashev,
linux-kernel, Stephane Eranian, linux-perf-users, selinux,
linux-security-module, Namhyung Kim, Thomas Gleixner,
Brendan Gregg, Jiri Olsa, bpf
On 17.12.2019 12:45, Lionel Landwerlin wrote:
> On 16/12/2019 22:03, Alexey Budankov wrote:
>> Open access to i915_perf monitoring for CAP_SYS_PERFMON privileged processes.
>> For backward compatibility reasons access to i915_perf subsystem remains open
>> for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
>> i915_perf monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
>>
>> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
>
>
> Assuming people are fine with this new cap, I like this idea of a lighter privilege for i915-perf.
Lionel, thanks for your meaningful input!
Appreciate your collaboration.
Regards,
Alexey
>
>
> -Lionel
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v3 5/7] trace/bpf_trace: open access for CAP_SYS_PERFMON privileged process
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (3 preceding siblings ...)
2019-12-16 20:03 ` [PATCH v3 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-16 20:03 ` Alexey Budankov
2019-12-16 20:04 ` [PATCH v3 6/7] powerpc/perf: " Alexey Budankov
2019-12-16 20:05 ` [PATCH v3 7/7] parisc/perf: " Alexey Budankov
6 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 20:03 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Open access to bpf_trace monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to bpf_trace monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
bpf_trace monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 44bd08f2443b..bafe21ac6d92 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1272,7 +1272,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
u32 *ids, prog_cnt, ids_len;
int ret;
- if (!capable(CAP_SYS_ADMIN))
+ if (!perfmon_capable())
return -EPERM;
if (event->attr.type != PERF_TYPE_TRACEPOINT)
return -EINVAL;
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 6/7] powerpc/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (4 preceding siblings ...)
2019-12-16 20:03 ` [PATCH v3 5/7] trace/bpf_trace: " Alexey Budankov
@ 2019-12-16 20:04 ` Alexey Budankov
2019-12-16 20:05 ` [PATCH v3 7/7] parisc/perf: " Alexey Budankov
6 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 20:04 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Open access to monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to the monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
arch/powerpc/perf/imc-pmu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
index cb50a9e1fd2d..e837717492e4 100644
--- a/arch/powerpc/perf/imc-pmu.c
+++ b/arch/powerpc/perf/imc-pmu.c
@@ -898,7 +898,7 @@ static int thread_imc_event_init(struct perf_event *event)
if (event->attr.type != event->pmu->type)
return -ENOENT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!perfmon_capable())
return -EACCES;
/* Sampling not supported */
@@ -1307,7 +1307,7 @@ static int trace_imc_event_init(struct perf_event *event)
if (event->attr.type != event->pmu->type)
return -ENOENT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!perfmon_capable())
return -EACCES;
/* Return if this is a couting event */
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v3 7/7] parisc/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 19:52 [PATCH v3 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (5 preceding siblings ...)
2019-12-16 20:04 ` [PATCH v3 6/7] powerpc/perf: " Alexey Budankov
@ 2019-12-16 20:05 ` Alexey Budankov
6 siblings, 0 replies; 11+ messages in thread
From: Alexey Budankov @ 2019-12-16 20:05 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
Serge Hallyn, James Morris, Casey Schaufler
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Kees Cook, Jann Horn,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, Brendan Gregg,
songliubraving, bpf, linux-parisc, linuxppc-dev
Open access to monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to the monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
arch/parisc/kernel/perf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/perf.c b/arch/parisc/kernel/perf.c
index 676683641d00..c4208d027794 100644
--- a/arch/parisc/kernel/perf.c
+++ b/arch/parisc/kernel/perf.c
@@ -300,7 +300,7 @@ static ssize_t perf_write(struct file *file, const char __user *buf,
else
return -EFAULT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!perfmon_capable())
return -EACCES;
if (count != sizeof(uint32_t))
--
2.20.1
^ permalink raw reply related [flat|nested] 11+ messages in thread