Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>, Andi Kleen <ak@linux.intel.com>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control
Date: Tue, 19 May 2020 10:34:18 +0300
Message-ID: <74f8d079-39ef-756e-7e43-ba4c897fd441@linux.intel.com> (raw)
In-Reply-To: <d10fd4b0-d516-cf16-4379-c5299d0c5cc3@linux.intel.com>


On 18.05.2020 19:43, Alexey Budankov wrote:
> 
> On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote:
>> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu:
>>>
>>> Implement selinux sysfs check to see the system is in enforcing
>>> mode and print warning message with pointer to check audit logs.
>>
>> There were some changes in this area meanwhile, so I had to apply the
>> evsel.c by hand, when I push this please double check everything is ok,
> 
> Will do. I appreciate your integrating effort.

Checked at tmp.perf/core branch. The message looks like this:

[root@nntvtune39 acme.tmp]# tools/perf/perf stat
Error:
Access to performance monitoring and observability operations is limited.
Enforced MAC policy settings (SELinux) can limit access to performance
monitoring and observability operations. Inspect system audit records for
more perf_event access control information and adjusting the policy.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for users
without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
perf_event_paranoid setting is 2:
  -1: Allow use of (almost) all events by all users
      Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)

Edited patch at security.txt didn't apply cleanly. It requires white space
prior tab in the first block for wake_alarm etc till perfmon:

---8<---
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
--- a/policy/flask/access_vectors	2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/access_vectors	2020-02-28 23:37:25.000000000 +0300
@@ -174,6 +174,7 @@
 	wake_alarm
 	block_suspend
 	audit_read
+	perfmon
 }

 #
@@ -1099,3 +1100,15 @@

 class xdp_socket
 inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}
+
+
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
--- a/policy/flask/security_classes	2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/security_classes	2020-02-28 21:35:17.000000000 +0300
@@ -200,4 +200,6 @@

 class xdp_socket

+class perf_event
+
 # FLASK

---8<---

~Alexey

  reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-30  7:06 [PATCH v3 0/3] perf: " Alexey Budankov
2020-04-30  7:15 ` [PATCH v3 1/3] perf docs: extend CAP_SYS_ADMIN with CAP_PERFMON where needed Alexey Budankov
2020-04-30  7:15 ` [PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control Alexey Budankov
2020-05-18 15:58   ` Arnaldo Carvalho de Melo
2020-05-18 16:43     ` Alexey Budankov
2020-05-19  7:34       ` Alexey Budankov [this message]
2020-05-19 18:10         ` Arnaldo Carvalho de Melo
2020-04-30  7:16 ` [PATCH v3 3/3] perf docs: introduce security.txt file to document related issues Alexey Budankov
2020-05-18 15:59   ` Arnaldo Carvalho de Melo
2020-05-18 16:50     ` Alexey Budankov
2020-05-18 17:06       ` Arnaldo Carvalho de Melo
2020-05-18  8:07 ` [PATCH v3 0/3] perf: make Perf tool aware of SELinux access control Alexey Budankov
  -- strict thread matches above, loose matches on Subject: below --
2020-04-24  6:45 Alexey Budankov
2020-04-24  6:50 ` [PATCH v3 2/3] perf tool: " Alexey Budankov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74f8d079-39ef-756e-7e43-ba4c897fd441@linux.intel.com \
    --to=alexey.budankov@linux.intel.com \
    --cc=ak@linux.intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=arnaldo.melo@gmail.com \
    --cc=jolsa@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git