Re: [PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control

Mon, 18 May 2020 08:59:14 -0700 

Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu:
> 
> Implement selinux sysfs check to see the system is in enforcing
> mode and print warning message with pointer to check audit logs.

There were some changes in this area meanwhile, so I had to apply the
evsel.c by hand, when I push this please double check everything is ok,

- Arnaldo
 
> Signed-off-by: Alexey Budankov <alexey.budan...@linux.intel.com>
> ---
>  tools/perf/util/cloexec.c |  4 ++--
>  tools/perf/util/evsel.c   | 39 ++++++++++++++++++++++++---------------
>  2 files changed, 26 insertions(+), 17 deletions(-)
> 
> diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c
> index a12872f2856a..9c8ec816261b 100644
> --- a/tools/perf/util/cloexec.c
> +++ b/tools/perf/util/cloexec.c
> @@ -65,7 +65,7 @@ static int perf_flag_probe(void)
>               return 1;
>       }
>  
> -     WARN_ONCE(err != EINVAL && err != EBUSY,
> +     WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES,
>                 "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with 
> unexpected error %d (%s)\n",
>                 err, str_error_r(err, sbuf, sizeof(sbuf)));
>  
> @@ -83,7 +83,7 @@ static int perf_flag_probe(void)
>       if (fd >= 0)
>               close(fd);
>  
> -     if (WARN_ONCE(fd < 0 && err != EBUSY,
> +     if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES,
>                     "perf_event_open(..., 0) failed unexpectedly with error 
> %d (%s)\n",
>                     err, str_error_r(err, sbuf, sizeof(sbuf))))
>               return -1;
> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
> index 9fa92649adb4..bf437c059c2b 100644
> --- a/tools/perf/util/evsel.c
> +++ b/tools/perf/util/evsel.c
> @@ -2514,32 +2514,41 @@ int perf_evsel__open_strerror(struct evsel *evsel, 
> struct target *target,
>                             int err, char *msg, size_t size)
>  {
>       char sbuf[STRERR_BUFSIZE];
> -     int printed = 0;
> +     int printed = 0, enforced = 0;
>  
>       switch (err) {
>       case EPERM:
>       case EACCES:
> +             printed += scnprintf(msg + printed, size - printed,
> +                     "Access to performance monitoring and observability 
> operations is limited.\n");
> +
> +             if (!sysfs__read_int("fs/selinux/enforce", &enforced)) {
> +                     if (enforced) {
> +                             printed += scnprintf(msg + printed, size - 
> printed,
> +                                     "Enforced MAC policy settings (SELinux) 
> can limit access to performance\n"
> +                                     "monitoring and observability 
> operations. Inspect system audit records for\n"
> +                                     "more perf_event access control 
> information and adjusting the policy.\n");
> +                     }
> +             }
> +
>               if (err == EPERM)
> -                     printed = scnprintf(msg, size,
> +                     printed += scnprintf(msg, size,
>                               "No permission to enable %s event.\n\n",
>                               perf_evsel__name(evsel));
>  
>               return scnprintf(msg + printed, size - printed,
> -              "You may not have permission to collect %sstats.\n\n"
> -              "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
> -              "which controls use of the performance events system by\n"
> -              "unprivileged users (without CAP_PERFMON or 
> CAP_SYS_ADMIN).\n\n"
> -              "The current value is %d:\n\n"
> +              "Consider adjusting /proc/sys/kernel/perf_event_paranoid 
> setting to open\n"
> +              "access to performance monitoring and observability operations 
> for users\n"
> +              "without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.\n"
> +              "perf_event_paranoid setting is %d:\n"
>                "  -1: Allow use of (almost) all events by all users\n"
>                "      Ignore mlock limit after perf_event_mlock_kb without 
> CAP_IPC_LOCK\n"
> -              ">= 0: Disallow ftrace function tracepoint by users without 
> CAP_PERFMON or CAP_SYS_ADMIN\n"
> -              "      Disallow raw tracepoint access by users without 
> CAP_SYS_PERFMON or CAP_SYS_ADMIN\n"
> -              ">= 1: Disallow CPU event access by users without CAP_PERFMON 
> or CAP_SYS_ADMIN\n"
> -              ">= 2: Disallow kernel profiling by users without CAP_PERFMON 
> or CAP_SYS_ADMIN\n\n"
> -              "To make this setting permanent, edit /etc/sysctl.conf too, 
> e.g.:\n\n"
> -              "      kernel.perf_event_paranoid = -1\n" ,
> -                              target->system_wide ? "system-wide " : "",
> -                              perf_event_paranoid());
> +              ">= 0: Disallow raw and ftrace function tracepoint access\n"
> +              ">= 1: Disallow CPU event access\n"
> +              ">= 2: Disallow kernel profiling\n"
> +              "To make the adjusted perf_event_paranoid setting permanent 
> preserve it\n"
> +              "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = 
> <setting>)",
> +              perf_event_paranoid());
>       case ENOENT:
>               return scnprintf(msg, size, "The %s event is not supported.",
>                                perf_evsel__name(evsel));
> -- 
> 2.24.1
> 
> 

-- 

- Arnaldo

Reply via email to