Re: [PATCH v3 0/4] perf: Use capabilities instead of uid and euid
From: Jiri Olsa
Date: Mon Aug 12 2019 - 05:13:53 EST
On Wed, Aug 07, 2019 at 10:44:13AM -0400, Igor Lubashev wrote:
> Series v1: https://lkml.kernel.org/lkml/1562112605-6235-1-git-send-email-ilubashe@xxxxxxxxxx
>
>
> Kernel is using capabilities instead of uid and euid to restrict access to
> kernel pointers and tracing facilities. This patch series updates the perf to
> better match the security model used by the kernel.
>
> This series enables instructions in Documentation/admin-guide/perf-security.rst
> to actually work, even when kernel.perf_event_paranoid=2 and
> kernel.kptr_restrict=1.
>
> The series consists of four patches:
>
> 01: perf: Add capability-related utilities
> Add utility functions to check capabilities and perf_event_paranoid checks,
> if libcap-dev[el] is available. (Otherwise, assume no capabilities.)
>
> 02: perf: Use CAP_SYS_ADMIN with perf_event_paranoid checks
> Replace the use of euid==0 with a check for CAP_SYS_ADMIN whenever
> perf_event_paranoid level is verified.
>
> 03: perf: Use CAP_SYSLOG with kptr_restrict checks
> Replace the use of uid and euid with a check for CAP_SYSLOG when
> kptr_restrict is verified (similar to kernel/kallsyms.c and lib/vsprintf.c).
> Consult perf_event_paranoid when kptr_restrict==0 (see kernel/kallsyms.c).
>
> 04: perf: Use CAP_SYS_ADMIN instead of euid==0 with ftrace
> Replace the use of euid==0 with a check for CAP_SYS_ADMIN before mounting
> debugfs for ftrace.
>
> I tested this by following Documentation/admin-guide/perf-security.rst
> guidelines and setting sysctls:
>
> kernel.perf_event_paranoid=2
> kernel.kptr_restrict=1
>
> As an unprivileged user who is in perf_users group (setup via instructions
> above), I executed:
> perf record -a -- sleep 1
>
> Without the patch, perf record did not capture any kernel functions.
> With the patch, perf included all kernel functions.
>
>
> Changelog:
> v3: * Fix arm64 compilation (thanks, Alexey and Jiri)
Acked-by: Jiri Olsa <jolsa@xxxxxxxxxx>
thanks,
jirka
> v2: * Added a build feature check for libcap-dev[el] as suggested by Arnaldo
>
>
> Igor Lubashev (4):
> perf: Add capability-related utilities
> perf: Use CAP_SYS_ADMIN with perf_event_paranoid checks
> perf: Use CAP_SYSLOG with kptr_restrict checks
> perf: Use CAP_SYS_ADMIN instead of euid==0 with ftrace
>
> tools/build/Makefile.feature | 2 ++
> tools/build/feature/Makefile | 4 ++++
> tools/build/feature/test-libcap.c | 20 ++++++++++++++++++++
> tools/perf/Makefile.config | 11 +++++++++++
> tools/perf/Makefile.perf | 2 ++
> tools/perf/arch/arm/util/cs-etm.c | 3 ++-
> tools/perf/arch/arm64/util/arm-spe.c | 3 ++-
> tools/perf/arch/x86/util/intel-bts.c | 3 ++-
> tools/perf/arch/x86/util/intel-pt.c | 2 +-
> tools/perf/builtin-ftrace.c | 4 +++-
> tools/perf/util/Build | 2 ++
> tools/perf/util/cap.c | 29 +++++++++++++++++++++++++++++
> tools/perf/util/cap.h | 24 ++++++++++++++++++++++++
> tools/perf/util/event.h | 1 +
> tools/perf/util/evsel.c | 2 +-
> tools/perf/util/python-ext-sources | 1 +
> tools/perf/util/symbol.c | 15 +++++++++++----
> tools/perf/util/util.c | 9 +++++++++
> 18 files changed, 127 insertions(+), 10 deletions(-)
> create mode 100644 tools/build/feature/test-libcap.c
> create mode 100644 tools/perf/util/cap.c
> create mode 100644 tools/perf/util/cap.h
>
> --
> 2.7.4
>