On 2/12/20 3:53 AM, Alexey Budankov wrote:
Hi Stephen,
On 22.01.2020 17:07, Stephen Smalley wrote:
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
<alexey.budan...@linux.intel.com> wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
<SNIP>
Introduce CAP_PERFMON capability designed to secure system performance
Why _noaudit()? Normally only used when a permission failure is non-fatal to
the operation. Otherwise, we want the audit message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The implementation is more
performant in the sense of calling the API - one capable() call for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged
processes,
but this bloating also advertises and leverages using more secure CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see both a
CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing
CAP_PERFMON first and see if that resolves the issue. We have a similar issue
with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE.
I am trying to reproduce this double logging with CAP_PERFMON.
I am using the refpolicy version with enabled perf_event tclass [1], in
permissive mode.
When running perf stat -a I am observing this AVC audit messages:
type=AVC msg=audit(1581496695.666:8691): avc: denied { open } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { kernel } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { cpu } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8692): avc: denied { write } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
However there is no capability related messages around. I suppose my refpolicy
should
be modified somehow to observe capability related AVCs.
Could you please comment or clarify on how to enable caps related AVCs in order
to test the concerned logging.
The new perfmon permission has to be defined in your policy; you'll have
a message in dmesg about "Permission perfmon in class capability2 not
defined in policy.". You can either add it to the common cap2
definition in refpolicy/policy/flask/access_vectors and rebuild your
policy or extract your base module as CIL, add it there, and insert the
updated module.
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
