* [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
@ 2019-12-16 7:14 ` Alexey Budankov
2019-12-16 14:04 ` Stephen Smalley
2019-12-16 7:15 ` [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:14 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance amount
of CAP_SYS_ADMIN credentials following with the recommendations provided
in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..7d1f8606c3e6 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
2019-12-16 7:14 ` [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
@ 2019-12-16 14:04 ` Stephen Smalley
0 siblings, 0 replies; 12+ messages in thread
From: Stephen Smalley @ 2019-12-16 14:04 UTC (permalink / raw)
To: Alexey Budankov, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, james.bottomley, benh, Casey Schaufler,
serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
On 12/16/19 2:14 AM, Alexey Budankov wrote:
>
> Introduce CAP_SYS_PERFMON capability devoted to secure system performance
> monitoring and observability operations so that CAP_SYS_PERFMON would assist
> CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
> and other performance monitoring and observability subsystems of the kernel.
>
> CAP_SYS_PERFMON intends to harden system security and integrity during
> system performance monitoring and observability operations by decreasing
> attack surface that is available to CAP_SYS_ADMIN privileged processes.
>
> CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
> system performance monitoring and observability operations and balance amount
> of CAP_SYS_ADMIN credentials following with the recommendations provided
> in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability
> is overloaded; see Notes to kernel developers, below."
>
> [1] http://man7.org/linux/man-pages/man7/capabilities.7.html
>
> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> include/uapi/linux/capability.h | 8 +++++++-
> security/selinux/include/classmap.h | 4 ++--
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 240fdb9a60f6..7d1f8606c3e6 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
>
> #define CAP_AUDIT_READ 37
>
> +/*
> + * Allow system performance and observability privileged operations
> + * using perf_events, i915_perf and other kernel subsystems
> + */
> +
> +#define CAP_SYS_PERFMON 38
>
> -#define CAP_LAST_CAP CAP_AUDIT_READ
> +#define CAP_LAST_CAP CAP_SYS_PERFMON
>
> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 7db24855e12d..bae602c623b0 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -27,9 +27,9 @@
> "audit_control", "setfcap"
>
> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
> - "wake_alarm", "block_suspend", "audit_read"
> + "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
>
> -#if CAP_LAST_CAP > CAP_AUDIT_READ
> +#if CAP_LAST_CAP > CAP_SYS_PERFMON
> #error New capability defined, please update COMMON_CAP2_PERMS.
> #endif
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
2019-12-16 7:14 ` [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
@ 2019-12-16 7:15 ` Alexey Budankov
2019-12-16 16:12 ` Lubashev, Igor
2019-12-16 7:16 ` [PATCH v2 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support Alexey Budankov
` (4 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:15 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Open access to perf_events monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to perf_events subsystem remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
perf_events monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/perf_event.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 34c7c6910026..52313d2cc343 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)
static inline int perf_allow_kernel(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > 1 &&
+ !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EACCES;
return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
@@ -1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct perf_event_attr *attr)
static inline int perf_allow_cpu(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > 0 &&
+ !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EACCES;
return security_perf_event_open(attr, PERF_SECURITY_CPU);
@@ -1301,7 +1303,8 @@ static inline int perf_allow_cpu(struct perf_event_attr *attr)
static inline int perf_allow_tracepoint(struct perf_event_attr *attr)
{
- if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
+ if (sysctl_perf_event_paranoid > -1 &&
+ !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EPERM;
return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* RE: [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:15 ` [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-16 16:12 ` Lubashev, Igor
2019-12-16 16:33 ` Alexey Budankov
2019-12-16 17:12 ` Alexey Budankov
0 siblings, 2 replies; 12+ messages in thread
From: Lubashev, Igor @ 2019-12-16 16:12 UTC (permalink / raw)
To: Alexey Budankov, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, james.bottomley, benh, Casey Schaufler,
serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Alexander Shishkin,
Namhyung Kim, Jann Horn, Kees Cook, Thomas Gleixner,
Tvrtko Ursulin, linux-security-module, selinux, linux-kernel,
linux-perf-users, intel-gfx, bgregg, Song Liu, bpf, linux-parisc,
linuxppc-dev
On Mon, Dec 16, 2019 at 2:15 AM, Alexey Budankov <alexey.budankov@linux.intel.com> wrote:
>
> Open access to perf_events monitoring for CAP_SYS_PERFMON privileged
> processes.
> For backward compatibility reasons access to perf_events subsystem remains
> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage
> for secure perf_events monitoring is discouraged with respect to
> CAP_SYS_PERFMON capability.
>
> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
> ---
> include/linux/perf_event.h | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index
> 34c7c6910026..52313d2cc343 100644
> --- a/include/linux/perf_event.h
> +++ b/include/linux/perf_event.h
> @@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)
>
> static inline int perf_allow_kernel(struct perf_event_attr *attr) {
> - if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
> + if (sysctl_perf_event_paranoid > 1 &&
> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
> return -EACCES;
>
> return security_perf_event_open(attr, PERF_SECURITY_KERNEL); @@
> -1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct
> perf_event_attr *attr)
>
> static inline int perf_allow_cpu(struct perf_event_attr *attr) {
> - if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
> + if (sysctl_perf_event_paranoid > 0 &&
> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
> return -EACCES;
>
> return security_perf_event_open(attr, PERF_SECURITY_CPU); @@ -
> 1301,7 +1303,8 @@ static inline int perf_allow_cpu(struct perf_event_attr
> *attr)
>
> static inline int perf_allow_tracepoint(struct perf_event_attr *attr) {
> - if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
> + if (sysctl_perf_event_paranoid > -1 &&
> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
> return -EPERM;
>
> return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
> --
> 2.20.1
Thanks. I like the idea of CAP_SYS_PERFMON that does not require CAP_SYS_ADMIN. It makes granting users ability to run perf a bit safer.
I see a lot of "(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)" constructs now. Maybe wrapping it in an " inline bool perfmon_capable()" defined somewhere (like in /include/linux/capability.h)?
- Igor
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process
2019-12-16 16:12 ` Lubashev, Igor
@ 2019-12-16 16:33 ` Alexey Budankov
2019-12-16 17:12 ` Alexey Budankov
1 sibling, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 16:33 UTC (permalink / raw)
To: Lubashev, Igor, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, james.bottomley, benh, Casey Schaufler,
serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Alexander Shishkin,
Namhyung Kim, Jann Horn, Kees Cook, Thomas Gleixner,
Tvrtko Ursulin, linux-security-module, selinux, linux-kernel,
linux-perf-users, intel-gfx, bgregg, Song Liu, bpf, linux-parisc,
linuxppc-dev
On 16.12.2019 19:12, Lubashev, Igor wrote:
> On Mon, Dec 16, 2019 at 2:15 AM, Alexey Budankov <alexey.budankov@linux.intel.com> wrote:
>>
>> Open access to perf_events monitoring for CAP_SYS_PERFMON privileged
>> processes.
>> For backward compatibility reasons access to perf_events subsystem remains
>> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage
>> for secure perf_events monitoring is discouraged with respect to
>> CAP_SYS_PERFMON capability.
>>
>> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
>> ---
>> include/linux/perf_event.h | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index
>> 34c7c6910026..52313d2cc343 100644
>> --- a/include/linux/perf_event.h
>> +++ b/include/linux/perf_event.h
>> @@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)
>>
>> static inline int perf_allow_kernel(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > 1 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EACCES;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_KERNEL); @@
>> -1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct
>> perf_event_attr *attr)
>>
>> static inline int perf_allow_cpu(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > 0 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EACCES;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_CPU); @@ -
>> 1301,7 +1303,8 @@ static inline int perf_allow_cpu(struct perf_event_attr
>> *attr)
>>
>> static inline int perf_allow_tracepoint(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > -1 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EPERM;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
>> --
>> 2.20.1
>
> Thanks. I like the idea of CAP_SYS_PERFMON that does not require CAP_SYS_ADMIN. It makes granting users ability to run perf a bit safer.
>
> I see a lot of "(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)" constructs now. Maybe wrapping it in an " inline bool perfmon_capable()" defined somewhere (like in /include/linux/capability.h)?
Yes, it makes sense.
Thanks,
Alexey
>
> - Igor
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process
2019-12-16 16:12 ` Lubashev, Igor
2019-12-16 16:33 ` Alexey Budankov
@ 2019-12-16 17:12 ` Alexey Budankov
1 sibling, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 17:12 UTC (permalink / raw)
To: Lubashev, Igor, Peter Zijlstra, Arnaldo Carvalho de Melo,
Ingo Molnar, jani.nikula, joonas.lahtinen, rodrigo.vivi,
Alexei Starovoitov, james.bottomley, benh, Casey Schaufler,
serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Alexander Shishkin,
Namhyung Kim, Jann Horn, Kees Cook, Thomas Gleixner,
Tvrtko Ursulin, linux-security-module, selinux, linux-kernel,
linux-perf-users, intel-gfx, bgregg, Song Liu, bpf, linux-parisc,
linuxppc-dev
On 16.12.2019 19:12, Lubashev, Igor wrote:
> On Mon, Dec 16, 2019 at 2:15 AM, Alexey Budankov <alexey.budankov@linux.intel.com> wrote:
>>
>> Open access to perf_events monitoring for CAP_SYS_PERFMON privileged
>> processes.
>> For backward compatibility reasons access to perf_events subsystem remains
>> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage
>> for secure perf_events monitoring is discouraged with respect to
>> CAP_SYS_PERFMON capability.
>>
>> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
>> ---
>> include/linux/perf_event.h | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index
>> 34c7c6910026..52313d2cc343 100644
>> --- a/include/linux/perf_event.h
>> +++ b/include/linux/perf_event.h
>> @@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)
>>
>> static inline int perf_allow_kernel(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > 1 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EACCES;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_KERNEL); @@
>> -1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct
>> perf_event_attr *attr)
>>
>> static inline int perf_allow_cpu(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > 0 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EACCES;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_CPU); @@ -
>> 1301,7 +1303,8 @@ static inline int perf_allow_cpu(struct perf_event_attr
>> *attr)
>>
>> static inline int perf_allow_tracepoint(struct perf_event_attr *attr) {
>> - if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
>> + if (sysctl_perf_event_paranoid > -1 &&
>> + !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
>> return -EPERM;
>>
>> return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
>> --
>> 2.20.1
>
> Thanks. I like the idea of CAP_SYS_PERFMON that does not require CAP_SYS_ADMIN. It makes granting users ability to run perf a bit safer.
>
> I see a lot of "(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)" constructs now. Maybe wrapping it in an " inline bool perfmon_capable()" defined somewhere (like in /include/linux/capability.h)?
Sounds reasonable, thanks!
~Alexey
>
> - Igor
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
2019-12-16 7:14 ` [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
2019-12-16 7:15 ` [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-16 7:16 ` Alexey Budankov
2019-12-16 7:17 ` [PATCH v2 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
` (3 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:16 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Extend error messages to mention CAP_SYS_PERFMON capability as an option
to substitute CAP_SYS_ADMIN capability for secure system performance
monitoring and observability operations [1]. Make perf_event_paranoid_check()
to be aware of CAP_SYS_PERFMON capability.
[1] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
tools/perf/design.txt | 3 ++-
tools/perf/util/cap.h | 4 ++++
tools/perf/util/evsel.c | 10 +++++-----
tools/perf/util/util.c | 1 +
4 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/perf/design.txt b/tools/perf/design.txt
index 0453ba26cdbd..71755b3e1303 100644
--- a/tools/perf/design.txt
+++ b/tools/perf/design.txt
@@ -258,7 +258,8 @@ gets schedule to. Per task counters can be created by any user, for
their own tasks.
A 'pid == -1' and 'cpu == x' counter is a per CPU counter that counts
-all events on CPU-x. Per CPU counters need CAP_SYS_ADMIN privilege.
+all events on CPU-x. Per CPU counters need CAP_SYS_PERFMON or
+CAP_SYS_ADMIN privilege.
The 'flags' parameter is currently unused and must be zero.
diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h
index 051dc590ceee..0f79fbf6638b 100644
--- a/tools/perf/util/cap.h
+++ b/tools/perf/util/cap.h
@@ -29,4 +29,8 @@ static inline bool perf_cap__capable(int cap __maybe_unused)
#define CAP_SYSLOG 34
#endif
+#ifndef CAP_SYS_PERFMON
+#define CAP_SYS_PERFMON 38
+#endif
+
#endif /* __PERF_CAP_H */
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index f4dea055b080..3a46325e3702 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2468,14 +2468,14 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target,
"You may not have permission to collect %sstats.\n\n"
"Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
"which controls use of the performance events system by\n"
- "unprivileged users (without CAP_SYS_ADMIN).\n\n"
+ "unprivileged users (without CAP_SYS_PERFMON or CAP_SYS_ADMIN).\n\n"
"The current value is %d:\n\n"
" -1: Allow use of (almost) all events by all users\n"
" Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n"
- ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN\n"
- " Disallow raw tracepoint access by users without CAP_SYS_ADMIN\n"
- ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
- ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN\n\n"
+ ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ ">= 1: Disallow CPU event access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
+ ">= 2: Disallow kernel profiling by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n\n"
"To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n"
" kernel.perf_event_paranoid = -1\n" ,
target->system_wide ? "system-wide " : "",
diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 969ae560dad9..9981db0d8d09 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -272,6 +272,7 @@ int perf_event_paranoid(void)
bool perf_event_paranoid_check(int max_level)
{
return perf_cap__capable(CAP_SYS_ADMIN) ||
+ perf_cap__capable(CAP_SYS_PERFMON) ||
perf_event_paranoid() <= max_level;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH v2 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (2 preceding siblings ...)
2019-12-16 7:16 ` [PATCH v2 3/7] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support Alexey Budankov
@ 2019-12-16 7:17 ` Alexey Budankov
2019-12-16 7:17 ` [PATCH v2 5/7] trace/bpf_trace: " Alexey Budankov
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:17 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Open access to i915_perf monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to i915_perf subsystem remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
i915_perf monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
drivers/gpu/drm/i915/i915_perf.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
index e42b86827d6b..8a9ff40b1b0b 100644
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -2748,10 +2748,11 @@ i915_perf_open_ioctl_locked(struct drm_i915_private *dev_priv,
/* Similar to perf's kernel.perf_paranoid_cpu sysctl option
* we check a dev.i915.perf_stream_paranoid sysctl option
* to determine if it's ok to access system wide OA counters
- * without CAP_SYS_ADMIN privileges.
+ * without CAP_SYS_PERFMON or CAP_SYS_ADMIN privileges.
*/
if (privileged_op &&
- i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ i915_perf_stream_paranoid &&
+ !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))) {
DRM_DEBUG("Insufficient privileges to open system-wide i915 perf stream\n");
ret = -EACCES;
goto err_ctx;
@@ -2940,8 +2941,8 @@ static int read_properties_unlocked(struct drm_i915_private *dev_priv,
oa_freq_hz = 0;
if (oa_freq_hz > i915_oa_max_sample_rate &&
- !capable(CAP_SYS_ADMIN)) {
- DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without root privileges\n",
+ !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))) {
+ DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without CAP_SYS_PERFMON or CAP_SYS_ADMIN privileges\n",
i915_oa_max_sample_rate);
return -EACCES;
}
@@ -3328,7 +3329,7 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data,
return -EINVAL;
}
- if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ if (i915_perf_stream_paranoid && !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))) {
DRM_DEBUG("Insufficient privileges to add i915 OA config\n");
return -EACCES;
}
@@ -3474,7 +3475,7 @@ int i915_perf_remove_config_ioctl(struct drm_device *dev, void *data,
return -ENOTSUPP;
}
- if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) {
+ if (i915_perf_stream_paranoid && !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))) {
DRM_DEBUG("Insufficient privileges to remove i915 OA config\n");
return -EACCES;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH v2 5/7] trace/bpf_trace: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (3 preceding siblings ...)
2019-12-16 7:17 ` [PATCH v2 4/7] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
@ 2019-12-16 7:17 ` Alexey Budankov
2019-12-16 7:18 ` [PATCH v2 6/7] powerpc/perf: " Alexey Budankov
2019-12-16 7:19 ` [PATCH v2 7/7] parisc/perf: " Alexey Budankov
6 siblings, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:17 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Open access to bpf_trace monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to bpf_trace monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
bpf_trace monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 44bd08f2443b..0231bb363ef9 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1272,7 +1272,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
u32 *ids, prog_cnt, ids_len;
int ret;
- if (!capable(CAP_SYS_ADMIN))
+ if (!(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EPERM;
if (event->attr.type != PERF_TYPE_TRACEPOINT)
return -EINVAL;
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH v2 6/7] powerpc/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (4 preceding siblings ...)
2019-12-16 7:17 ` [PATCH v2 5/7] trace/bpf_trace: " Alexey Budankov
@ 2019-12-16 7:18 ` Alexey Budankov
2019-12-16 7:19 ` [PATCH v2 7/7] parisc/perf: " Alexey Budankov
6 siblings, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:18 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Open access to monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to the monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
arch/powerpc/perf/imc-pmu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
index cb50a9e1fd2d..d8f936d1d6cc 100644
--- a/arch/powerpc/perf/imc-pmu.c
+++ b/arch/powerpc/perf/imc-pmu.c
@@ -898,7 +898,7 @@ static int thread_imc_event_init(struct perf_event *event)
if (event->attr.type != event->pmu->type)
return -ENOENT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EACCES;
/* Sampling not supported */
@@ -1307,7 +1307,7 @@ static int trace_imc_event_init(struct perf_event *event)
if (event->attr.type != event->pmu->type)
return -ENOENT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EACCES;
/* Return if this is a couting event */
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH v2 7/7] parisc/perf: open access for CAP_SYS_PERFMON privileged process
2019-12-16 7:00 [PATCH v2 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
` (5 preceding siblings ...)
2019-12-16 7:18 ` [PATCH v2 6/7] powerpc/perf: " Alexey Budankov
@ 2019-12-16 7:19 ` Alexey Budankov
6 siblings, 0 replies; 12+ messages in thread
From: Alexey Budankov @ 2019-12-16 7:19 UTC (permalink / raw)
To: Peter Zijlstra, Arnaldo Carvalho de Melo, Ingo Molnar,
jani.nikula, joonas.lahtinen, rodrigo.vivi, Alexei Starovoitov,
james.bottomley, benh, Casey Schaufler, serge, James Morris
Cc: Jiri Olsa, Andi Kleen, Stephane Eranian, Igor Lubashev,
Alexander Shishkin, Namhyung Kim, Jann Horn, Kees Cook,
Thomas Gleixner, Tvrtko Ursulin, linux-security-module, selinux,
linux-kernel, linux-perf-users, intel-gfx, bgregg, Song Liu, bpf,
linux-parisc, linuxppc-dev
Open access to monitoring for CAP_SYS_PERFMON privileged processes.
For backward compatibility reasons access to the monitoring remains open
for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure
monitoring is discouraged with respect to CAP_SYS_PERFMON capability.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
arch/parisc/kernel/perf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/perf.c b/arch/parisc/kernel/perf.c
index 676683641d00..58e7d1444e4f 100644
--- a/arch/parisc/kernel/perf.c
+++ b/arch/parisc/kernel/perf.c
@@ -300,7 +300,7 @@ static ssize_t perf_write(struct file *file, const char __user *buf,
else
return -EFAULT;
- if (!capable(CAP_SYS_ADMIN))
+ if (!(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
return -EACCES;
if (count != sizeof(uint32_t))
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread