Re: [Intel-gfx] [PATCH v7 01/12] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/17/20 3:06 AM, Alexey Budankov wrote: Introduce CAP_PERFMON capability designed to secure system performance monitoring and observability operations so that CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role for performance monitoring and observability subsystems. CAP_PERFMON hardens system security and integrity during performance monitoring and observability operations by decreasing attack surface that is available to a CAP_SYS_ADMIN privileged process [2]. Providing the access to system performance monitoring and observability operations under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes the operation more secure. Thus, CAP_PERFMON implements the principal of least privilege for performance monitoring and observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of least privilege: A security design principle that states that a process or program be granted only those privileges (e.g., capabilities) necessary to accomplish its legitimate function, and only for the time that such privileges are actually required) CAP_PERFMON meets the demand to secure system performance monitoring and observability operations for adoption in security sensitive, restricted, multiuser production environments (e.g. HPC clusters, cloud and virtual compute environments), where root or CAP_SYS_ADMIN credentials are not available to mass users of a system, and securely unblocks accessibility of system performance monitoring and observability operations beyond the root and CAP_SYS_ADMIN use cases. CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system performance monitoring and observability operations and balances amount of CAP_SYS_ADMIN credentials following the recommendations in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel developers, below." For backward compatibility reasons access to system performance monitoring and observability subsystems of the kernel remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure system performance monitoring and observability operations is discouraged with respect to the designed CAP_PERFMON capability. Although the software running under CAP_PERFMON can not ensure avoidance of related hardware issues, the software can still mitigate these issues following the official hardware issues mitigation procedure [2]. The bugs in the software itself can be fixed following the standard kernel development process [3] to maintain and harden security of system performance monitoring and observability operations. [1] http://man7.org/linux/man-pages/man7/capabilities.7.html [2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html Signed-off-by: Alexey Budankov Acked-by: Stephen Smalley [...] ___ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/12/20 11:56 AM, Alexey Budankov wrote:
On 12.02.2020 18:45, Stephen Smalley wrote:
On 2/12/20 10:21 AM, Stephen Smalley wrote:
On 2/12/20 8:53 AM, Alexey Budankov wrote:
On 12.02.2020 16:32, Stephen Smalley wrote:
On 2/12/20 3:53 AM, Alexey Budankov wrote:
Hi Stephen,
On 22.01.2020 17:07, Stephen Smalley wrote:
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
Why _noaudit()? Normally only used when a permission failure is non-fatal to
the operation. Otherwise, we want the audit message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The implementation is more
performant in the sense of calling the API - one capable() call for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged
processes,
but this bloating also advertises and leverages using more secure CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see both a
CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing
CAP_PERFMON first and see if that resolves the issue. We have a similar issue
with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE.
I am trying to reproduce this double logging with CAP_PERFMON.
I am using the refpolicy version with enabled perf_event tclass [1], in
permissive mode.
When running perf stat -a I am observing this AVC audit messages:
type=AVC msg=audit(1581496695.666:8691): avc: denied { open } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { kernel } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { cpu } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8692): avc: denied { write } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
However there is no capability related messages around. I suppose my refpolicy
should
be modified somehow to observe capability related AVCs.
Could you please comment or clarify on how to enable caps related AVCs in order
to test the concerned logging.
The new perfmon permission has to be defined in your policy; you'll have a message in
dmesg about "Permission perfmon in class capability2 not defined in policy.".
You can either add it to the common cap2 definition in
refpolicy/policy/flask/access_vectors and rebuild your policy or extract your base module
as CIL, add it there, and insert the updated module.
Yes, I already have it like this:
common cap2
{
<-->mac_override<--># unused by SELinux
<-->mac_admin
<-->syslog
<-->wake_alarm
<-->block_suspend
<-->audit_read
<-->perfmon
}
dmesg stopped reporting perfmon as not defined but audit.log still doesn't
report CAP_PERFMON denials.
BTW, audit even doesn't report CAP_SYS_ADMIN denials, however perfmon_capable()
does check for it.
Some denials may be silenced by dontaudit rules; semodule -DB will strip those
and semodule -B will restore them. Other possibility is that the process
doesn't have CAP_PERFMON in its effective set and therefore never reaches
SELinux at all; denied first by the capability module.
Also, the fact that your denials are showing up in user_systemd_t suggests that
something is off in your policy or userspace/distro; I assume that is a domain
type for the systemd --user instance, but your shell and commands shouldn't be
running in that domain (user_t would be more appropriate for that).
It is user_t for local terminal session:
ps -Z
LABEL PID TTY TIME CMD
user_u:user_r:user_t11317 pts/900:00:00 bash
user_u:user_r:user_t11796 pts/900:00:00 ps
For local terminal root session:
ps -Z
LABEL PID TTY TIME CMD
user_u:user_r:user_su_t 2926 pts/300:00:00 bash
user_u:user_r:user_su_t 10995 pts/300:00:00 ps
For remote ssh session:
ps -Z
LABEL PID TTY TIME CMD
user_u:user_r:user_t
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/12/20 10:21 AM, Stephen Smalley wrote:
On 2/12/20 8:53 AM, Alexey Budankov wrote:
On 12.02.2020 16:32, Stephen Smalley wrote:
On 2/12/20 3:53 AM, Alexey Budankov wrote:
Hi Stephen,
On 22.01.2020 17:07, Stephen Smalley wrote:
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system
performance
Why _noaudit()? Normally only used when a permission failure
is non-fatal to the operation. Otherwise, we want the audit
message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The
implementation is more
performant in the sense of calling the API - one capable() call
for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and
unprivileged processes,
but this bloating also advertises and leverages using more secure
CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see
both a CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process,
try only allowing CAP_PERFMON first and see if that resolves the
issue. We have a similar issue with CAP_DAC_READ_SEARCH versus
CAP_DAC_OVERRIDE.
I am trying to reproduce this double logging with CAP_PERFMON.
I am using the refpolicy version with enabled perf_event tclass [1],
in permissive mode.
When running perf stat -a I am observing this AVC audit messages:
type=AVC msg=audit(1581496695.666:8691): avc: denied { open } for
pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { kernel }
for pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { cpu } for
pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8692): avc: denied { write }
for pid=2779 comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
However there is no capability related messages around. I suppose my
refpolicy should
be modified somehow to observe capability related AVCs.
Could you please comment or clarify on how to enable caps related
AVCs in order
to test the concerned logging.
The new perfmon permission has to be defined in your policy; you'll
have a message in dmesg about "Permission perfmon in class
capability2 not defined in policy.". You can either add it to the
common cap2 definition in refpolicy/policy/flask/access_vectors and
rebuild your policy or extract your base module as CIL, add it there,
and insert the updated module.
Yes, I already have it like this:
common cap2
{
<-->mac_override<--># unused by SELinux
<-->mac_admin
<-->syslog
<-->wake_alarm
<-->block_suspend
<-->audit_read
<-->perfmon
}
dmesg stopped reporting perfmon as not defined but audit.log still
doesn't report CAP_PERFMON denials.
BTW, audit even doesn't report CAP_SYS_ADMIN denials, however
perfmon_capable() does check for it.
Some denials may be silenced by dontaudit rules; semodule -DB will strip
those and semodule -B will restore them. Other possibility is that the
process doesn't have CAP_PERFMON in its effective set and therefore
never reaches SELinux at all; denied first by the capability module.
Also, the fact that your denials are showing up in user_systemd_t
suggests that something is off in your policy or userspace/distro; I
assume that is a domain type for the systemd --user instance, but your
shell and commands shouldn't be running in that domain (user_t would be
more appropriate for that).
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/12/20 8:53 AM, Alexey Budankov wrote:
On 12.02.2020 16:32, Stephen Smalley wrote:
On 2/12/20 3:53 AM, Alexey Budankov wrote:
Hi Stephen,
On 22.01.2020 17:07, Stephen Smalley wrote:
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
Why _noaudit()? Normally only used when a permission failure is non-fatal to
the operation. Otherwise, we want the audit message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The implementation is more
performant in the sense of calling the API - one capable() call for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged
processes,
but this bloating also advertises and leverages using more secure CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see both a
CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing
CAP_PERFMON first and see if that resolves the issue. We have a similar issue
with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE.
I am trying to reproduce this double logging with CAP_PERFMON.
I am using the refpolicy version with enabled perf_event tclass [1], in
permissive mode.
When running perf stat -a I am observing this AVC audit messages:
type=AVC msg=audit(1581496695.666:8691): avc: denied { open } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { kernel } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { cpu } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8692): avc: denied { write } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
However there is no capability related messages around. I suppose my refpolicy
should
be modified somehow to observe capability related AVCs.
Could you please comment or clarify on how to enable caps related AVCs in order
to test the concerned logging.
The new perfmon permission has to be defined in your policy; you'll have a message in
dmesg about "Permission perfmon in class capability2 not defined in policy.".
You can either add it to the common cap2 definition in
refpolicy/policy/flask/access_vectors and rebuild your policy or extract your base module
as CIL, add it there, and insert the updated module.
Yes, I already have it like this:
common cap2
{
<-->mac_override<--># unused by SELinux
<-->mac_admin
<-->syslog
<-->wake_alarm
<-->block_suspend
<-->audit_read
<-->perfmon
}
dmesg stopped reporting perfmon as not defined but audit.log still doesn't
report CAP_PERFMON denials.
BTW, audit even doesn't report CAP_SYS_ADMIN denials, however perfmon_capable()
does check for it.
Some denials may be silenced by dontaudit rules; semodule -DB will strip
those and semodule -B will restore them. Other possibility is that the
process doesn't have CAP_PERFMON in its effective set and therefore
never reaches SELinux at all; denied first by the capability module.
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/12/20 3:53 AM, Alexey Budankov wrote:
Hi Stephen,
On 22.01.2020 17:07, Stephen Smalley wrote:
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
Why _noaudit()? Normally only used when a permission failure is non-fatal to
the operation. Otherwise, we want the audit message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The implementation is more
performant in the sense of calling the API - one capable() call for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged
processes,
but this bloating also advertises and leverages using more secure CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see both a
CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only allowing
CAP_PERFMON first and see if that resolves the issue. We have a similar issue
with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE.
I am trying to reproduce this double logging with CAP_PERFMON.
I am using the refpolicy version with enabled perf_event tclass [1], in
permissive mode.
When running perf stat -a I am observing this AVC audit messages:
type=AVC msg=audit(1581496695.666:8691): avc: denied { open } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { kernel } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8691): avc: denied { cpu } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
type=AVC msg=audit(1581496695.666:8692): avc: denied { write } for pid=2779
comm="perf" scontext=user_u:user_r:user_systemd_t
tcontext=user_u:user_r:user_systemd_t tclass=perf_event permissive=1
However there is no capability related messages around. I suppose my refpolicy
should
be modified somehow to observe capability related AVCs.
Could you please comment or clarify on how to enable caps related AVCs in order
to test the concerned logging.
The new perfmon permission has to be defined in your policy; you'll have
a message in dmesg about "Permission perfmon in class capability2 not
defined in policy.". You can either add it to the common cap2
definition in refpolicy/policy/flask/access_vectors and rebuild your
policy or extract your base module as CIL, add it there, and insert the
updated module.
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v6 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/6/20 1:26 PM, Alexey Budankov wrote: On 06.02.2020 21:23, Stephen Smalley wrote: On 2/5/20 12:30 PM, Alexey Budankov wrote: Introduce CAP_PERFMON capability designed to secure system performance monitoring and observability operations so that CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role for performance monitoring and observability subsystems. CAP_PERFMON hardens system security and integrity during performance monitoring and observability operations by decreasing attack surface that is available to a CAP_SYS_ADMIN privileged process [2]. Providing the access to system performance monitoring and observability operations under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes the operation more secure. Thus, CAP_PERFMON implements the principal of least privilege for performance monitoring and observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of least privilege: A security design principle that states that a process or program be granted only those privileges (e.g., capabilities) necessary to accomplish its legitimate function, and only for the time that such privileges are actually required) CAP_PERFMON meets the demand to secure system performance monitoring and observability operations for adoption in security sensitive, restricted, multiuser production environments (e.g. HPC clusters, cloud and virtual compute environments), where root or CAP_SYS_ADMIN credentials are not available to mass users of a system, and securely unblocks accessibility of system performance monitoring and observability operations beyond root and CAP_SYS_ADMIN use cases. CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system performance monitoring and observability operations and balances amount of CAP_SYS_ADMIN credentials following the recommendations in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel developers, below." For backward compatibility reasons access to system performance monitoring and observability subsystems of the kernel remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN capability usage for secure system performance monitoring and observability operations is discouraged with respect to the designed CAP_PERFMON capability. Although the software running under CAP_PERFMON can not ensure avoidance of related hardware issues, the software can still mitigate these issues following the official hardware issues mitigation procedure [2]. The bugs in the software itself can be fixed following the standard kernel development process [3] to maintain and harden security of system performance monitoring and observability operations. [1] http://man7.org/linux/man-pages/man7/capabilities.7.html [2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html Signed-off-by: Alexey Budankov This will require a small update to the selinux-testsuite to correctly reflect the new capability requirements, but that's easy enough. Is the suite a part of the kernel sources or something else? It is external, https://github.com/SELinuxProject/selinux-testsuite I wasn't suggesting that your patch be blocked on updating the testsuite, just noting that it will need to be done. ___ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v6 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 2/5/20 12:30 PM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for performance monitoring
and observability subsystems.
CAP_PERFMON hardens system security and integrity during performance
monitoring and observability operations by decreasing attack surface that
is available to a CAP_SYS_ADMIN privileged process [2]. Providing the access
to system performance monitoring and observability operations under CAP_PERFMON
capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes
chances to misuse the credentials and makes the operation more secure.
Thus, CAP_PERFMON implements the principal of least privilege for performance
monitoring and observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle
of least privilege: A security design principle that states that a process
or program be granted only those privileges (e.g., capabilities) necessary
to accomplish its legitimate function, and only for the time that such
privileges are actually required)
CAP_PERFMON meets the demand to secure system performance monitoring and
observability operations for adoption in security sensitive, restricted,
multiuser production environments (e.g. HPC clusters, cloud and virtual compute
environments), where root or CAP_SYS_ADMIN credentials are not available to
mass users of a system, and securely unblocks accessibility of system
performance monitoring and observability operations beyond root and
CAP_SYS_ADMIN use cases.
CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system performance
monitoring and observability operations and balances amount of CAP_SYS_ADMIN
credentials following the recommendations in the capabilities man page [1]
for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel
developers, below." For backward compatibility reasons access to system
performance monitoring and observability subsystems of the kernel remains
open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN capability
usage for secure system performance monitoring and observability operations
is discouraged with respect to the designed CAP_PERFMON capability.
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official hardware issues mitigation procedure [2]. The bugs
in the software itself can be fixed following the standard kernel development
process [3] to maintain and harden security of system performance monitoring
and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2]
https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov
This will require a small update to the selinux-testsuite to correctly
reflect the new capability requirements, but that's easy enough.
Acked-by: Stephen Smalley
---
include/linux/capability.h | 4
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..027d7e4a853b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct
user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace
*ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace
*ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct
cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..8b416e5f3afa 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_PERFMON38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..c599b0c2b0e7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 1/22/20 5:45 AM, Alexey Budankov wrote:
On 21.01.2020 21:27, Alexey Budankov wrote:
On 21.01.2020 20:55, Alexei Starovoitov wrote:
On Tue, Jan 21, 2020 at 9:31 AM Alexey Budankov
wrote:
On 21.01.2020 17:43, Stephen Smalley wrote:
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2]
https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov
---
include/linux/capability.h | 12
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct
user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace
*ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace
*ns);
+static inline bool perfmon_capable(void)
+{
+struct user_namespace *ns = _user_ns;
+
+if (ns_capable_noaudit(ns, CAP_PERFMON))
+return ns_capable(ns, CAP_PERFMON);
+
+if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+return ns_capable(ns, CAP_SYS_ADMIN);
+
+return false;
+}
Why _noaudit()? Normally only used when a permission failure is non-fatal to
the operation. Otherwise, we want the audit message.
So far so good, I suggest using the simplest version for v6:
static inline bool perfmon_capable(void)
{
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}
It keeps the implementation simple and readable. The implementation is more
performant in the sense of calling the API - one capable() call for CAP_PERFMON
privileged process.
Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged
processes,
but this bloating also advertises and leverages using more secure CAP_PERFMON
based approach to use perf_event_open system call.
I can live with that. We just need to document that when you see both a
CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, try only
allowing CAP_PERFMON first and see if that resolves the issue. We have
a similar issue with CAP_DAC_READ_SEARCH versus CAP_DAC_OVERRIDE.
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space
On 1/20/20 6:23 AM, Alexey Budankov wrote:
Introduce CAP_PERFMON capability designed to secure system performance
monitoring and observability operations so that CAP_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems.
CAP_PERFMON intends to harden system security and integrity during system
performance monitoring and observability operations by decreasing attack
surface that is available to a CAP_SYS_ADMIN privileged process [1].
Providing access to system performance monitoring and observability
operations under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and
makes operation more secure.
CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials following the recommendations in the
capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is
overloaded; see Notes to kernel developers, below."
Although the software running under CAP_PERFMON can not ensure avoidance
of related hardware issues, the software can still mitigate these issues
following the official embargoed hardware issues mitigation procedure [2].
The bugs in the software itself could be fixed following the standard
kernel development process [3] to maintain and harden security of system
performance monitoring and observability operations.
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
[2]
https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
[3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
Signed-off-by: Alexey Budankov
---
include/linux/capability.h | 12
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..8784969d91e1 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct
user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace
*ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace
*ns);
+static inline bool perfmon_capable(void)
+{
+ struct user_namespace *ns = _user_ns;
+
+ if (ns_capable_noaudit(ns, CAP_PERFMON))
+ return ns_capable(ns, CAP_PERFMON);
+
+ if (ns_capable_noaudit(ns, CAP_SYS_ADMIN))
+ return ns_capable(ns, CAP_SYS_ADMIN);
+
+ return false;
+}
Why _noaudit()? Normally only used when a permission failure is
non-fatal to the operation. Otherwise, we want the audit message.
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v3 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
On 12/16/19 2:58 PM, Alexey Budankov wrote:
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability so that CAP_SYS_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability by decreasing attack surface
that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability and balance amount of
CAP_SYS_ADMIN credentials in accordance with the recommendations provided
in the man page for CAP_SYS_ADMIN [1]: "Note: this capability is overloaded;
see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov
---
include/linux/capability.h | 1 +
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..6342502c4c2a 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,7 @@ extern bool privileged_wrt_inode_uidgid(struct
user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace
*ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace
*ns);
+#define perfmon_capable() (capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))
I think making it a static inline bool function instead of a macro would
be preferred?
Otherwise,
Acked-by: Stephen Smalley
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct
cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
On 12/18/19 4:24 AM, Alexey Budankov wrote:
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov
Acked-by: Stephen Smalley
Note for selinux developers: we will need to update the
selinux-testsuite tests for perf_event when/if this change lands upstream.
---
include/linux/capability.h | 4
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct
user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace
*ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace
*ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct
cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
Re: [Intel-gfx] [PATCH v2 1/7] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
On 12/16/19 2:14 AM, Alexey Budankov wrote:
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would assist
CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf
and other performance monitoring and observability subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related to
system performance monitoring and observability operations and balance amount
of CAP_SYS_ADMIN credentials following with the recommendations provided
in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov
Acked-by: Stephen Smalley
---
include/uapi/linux/capability.h | 8 +++-
security/selinux/include/classmap.h | 4 ++--
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..7d1f8606c3e6 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
