Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance... | linux-security-module

[PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-04-02
[PATCH v8 01/12] capabilities: introduce CAP_PERFMON to kernel and user space · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] capabilities: Introduce CAP_PERFMON to kernel and user space · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 02/12] perf/core: open access to the core for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] perf/core: Open access to the core for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 03/12] perf/core: open access to probes for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] perf/core: open access to probes for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support · Alexey Budankov <hidden> · 2020-04-02
Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support · Jiri Olsa <hidden> · 2020-04-03
Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support · Alexey Budankov <hidden> · 2020-04-03
Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support · Namhyung Kim <namhyung@kernel.org> · 2020-04-04
Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support · Alexey Budankov <hidden> · 2020-04-04
[tip: perf/core] perf tools: Support CAP_PERFMON capability · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 05/12] drm/i915/perf: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] drm/i915/perf: Open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 06/12] trace/bpf_trace: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] trace/bpf_trace: Open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 07/12] powerpc/perf: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] powerpc/perf: open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 08/12] parisc/perf: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] parisc/perf: open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 09/12] drivers/perf: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] drivers/perf: Open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 10/12] drivers/oprofile: open access for CAP_PERFMON privileged process · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] drivers/oprofile: Open access for CAP_PERFMON privileged process · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 11/12] doc/admin-guide: update perf-security.rst with CAP_PERFMON information · Alexey Budankov <hidden> · 2020-04-02
[tip: perf/core] doc/admin-guide: Update perf-security.rst with CAP_PERFMON information · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
[PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Alexey Budankov <hidden> · 2020-04-02
Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Arnaldo Carvalho de Melo <hidden> · 2020-04-05
Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Alexey Budankov <hidden> · 2020-04-05
Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Alexey Budankov <hidden> · 2020-04-05
Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Arnaldo Carvalho de Melo <hidden> · 2020-04-05
Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information · Alexey Budankov <hidden> · 2020-04-05
[tip: perf/core] doc/admin-guide: update kernel.rst with CAP_PERFMON information · tip-bot2 for Alexey Budankov <hidden> · 2020-04-22
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <hidden> · 2020-04-07
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Ravi Bangoria <hidden> · 2020-07-10
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-07-10
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <acme@kernel.org> · 2020-07-10
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-07-13
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <acme@kernel.org> · 2020-07-13
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-07-13
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <acme@kernel.org> · 2020-07-13
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Peter Zijlstra <peterz@infradead.org> · 2020-07-14
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <acme@kernel.org> · 2020-07-14
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Alexey Budankov <hidden> · 2020-07-21
Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability · Arnaldo Carvalho de Melo <acme@kernel.org> · 2020-07-22

Re: [PATCH v8 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability

From: Arnaldo Carvalho de Melo <acme@kernel.org>
Date: 2020-07-22 11:30:17
Also in: intel-gfx, linux-doc, linux-man, lkml, selinux

Em Tue, Jul 21, 2020 at 04:06:34PM +0300, Alexey Budankov escreveu:

On 13.07.2020 21:51, Arnaldo Carvalho de Melo wrote:

quoted

Em Mon, Jul 13, 2020 at 03:37:51PM +0300, Alexey Budankov escreveu:

quoted

On 13.07.2020 15:17, Arnaldo Carvalho de Melo wrote:

quoted

Em Mon, Jul 13, 2020 at 12:48:25PM +0300, Alexey Budankov escreveu:

If it had that patch below then message change would not be required.

quoted

Sure, but the tool should continue to work and provide useful messages
when running on kernels without that change. Pointing to the document is
valid and should be done, that is an agreed point. But the tool can do
some checks, narrow down the possible causes for the error message and
provide something that in most cases will make the user make progress.

quoted

However this two sentences in the end of whole message would still add up:
"Please read the 'Perf events and tool security' document:
 https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html"

quoted

We're in violent agreement here. :-)

Here is the message draft mentioning a) CAP_SYS_PTRACE, for kernels prior
v5.8, and b) Perf security document link. The plan is to send a patch extending
perf_events with CAP_PERFMON check [1] for ptrace_may_access() and extending
the tool with this message.

"Access to performance monitoring and observability operations is limited.
 Enforced MAC policy settings (SELinux) can limit access to performance
 monitoring and observability operations. Inspect system audit records for
 more perf_event access control information and adjusting the policy.
 Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
 access to performance monitoring and observability operations for processes
 without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
 More information can be found at 'Perf events and tool security' document:
 https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
 perf_event_paranoid setting is -1:
     -1: Allow use of (almost) all events by all users
           Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
 >= 0: Disallow raw and ftrace function tracepoint access
 >= 1: Disallow CPU event access
 >= 2: Disallow kernel profiling
 To make the adjusted perf_event_paranoid setting permanent preserve it
 in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)"

Looks ok! Lots of knobs to control access as one needs.

- Arnaldo

Alexei

[1] https://lore.kernel.org/lkml/20200713121746.GA7029@kernel.org/ (local)

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help