Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

From: Arnaldo Carvalho de Melo
Date: Wed Jul 22 2020 - 07:30:17 EST

Next message: Rahul Gottipati: "[PATCH v2 2/2] media: atomisp: Fix coding style issue - correct multiline comments"
Previous message: Pavel Machek: "Re: [PATCH 4.19 034/133] iio:humidity:hts221 Fix alignment and data leak issues"
In reply to: Alexey Budankov: "Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Em Tue, Jul 21, 2020 at 04:06:34PM +0300, Alexey Budankov escreveu:
>
> On 13.07.2020 21:51, Arnaldo Carvalho de Melo wrote:
> > Em Mon, Jul 13, 2020 at 03:37:51PM +0300, Alexey Budankov escreveu:
> >>
> >> On 13.07.2020 15:17, Arnaldo Carvalho de Melo wrote:
> >>> Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu:
> >> If it had that patch below then message change would not be required.

> > Sure, but the tool should continue to work and provide useful messages
> > when running on kernels without that change. Pointing to the document is
> > valid and should be done, that is an agreed point. But the tool can do
> > some checks, narrow down the possible causes for the error message and
> > provide something that in most cases will make the user make progress.

> >> However this two sentences in the end of whole message would still add up:
> >> "Please read the 'Perf events and tool security' document:
> >> https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html";

> > We're in violent agreement here. :-)

> Here is the message draft mentioning a) CAP_SYS_PTRACE, for kernels prior
> v5.8, and b) Perf security document link. The plan is to send a patch extending
> perf_events with CAP_PERFMON check [1] for ptrace_may_access() and extending
> the tool with this message.

> "Access to performance monitoring and observability operations is limited.
> Enforced MAC policy settings (SELinux) can limit access to performance
> monitoring and observability operations. Inspect system audit records for
> more perf_event access control information and adjusting the policy.
> Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
> access to performance monitoring and observability operations for processes
> without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
> More information can be found at 'Perf events and tool security' document:
> https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
> perf_event_paranoid setting is -1:
> -1: Allow use of (almost) all events by all users
> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> >= 0: Disallow raw and ftrace function tracepoint access
> >= 1: Disallow CPU event access
> >= 2: Disallow kernel profiling
> To make the adjusted perf_event_paranoid setting permanent preserve it
> in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)"

Looks ok! Lots of knobs to control access as one needs.

- Arnaldo

> Alexei
>
> [1] https://lore.kernel.org/lkml/20200713121746.GA7029@xxxxxxxxxx/

Next message: Rahul Gottipati: "[PATCH v2 2/2] media: atomisp: Fix coding style issue - correct multiline comments"
Previous message: Pavel Machek: "Re: [PATCH 4.19 034/133] iio:humidity:hts221 Fix alignment and data leak issues"
In reply to: Alexey Budankov: "Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]