Re: [Intel-gfx] [PATCH v7 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability
On Sun, 1 Mar 2020, Serge Hallyn wrote: > Thanks, this looks good to me, in keeping with the CAP_SYSLOG break. > > Acked-by: Serge E. Hallyn > > for the set. > > James/Ingo/Peter, if noone has remaining objections, whose branch > should these go in through? > > thanks, > -serge > > On Tue, Feb 25, 2020 at 12:55:54PM +0300, Alexey Budankov wrote: > > > > Hi, > > > > Is there anything else I could do in order to move the changes forward > > or is something still missing from this patch set? > > Could you please share you mind? Alexey, It seems some of the previous Acks are not included in this patchset, e.g. https://lkml.org/lkml/2020/1/22/655 Every patch needs a Reviewed-by or Acked-by from maintainers of the code being changed. You have enough from the security folk, but I can't see any included from the perf folk. -- James Morris
Re: [Intel-gfx] [PATCH v7 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability
On Sun, 1 Mar 2020, Serge Hallyn wrote: > Thanks, this looks good to me, in keeping with the CAP_SYSLOG break. > > Acked-by: Serge E. Hallyn > > for the set. > > James/Ingo/Peter, if noone has remaining objections, whose branch > should these go in through? > > thanks, I was assuming via the perf tree, but I am happy to take them. > -serge > > On Tue, Feb 25, 2020 at 12:55:54PM +0300, Alexey Budankov wrote: > > > > Hi, > > > > Is there anything else I could do in order to move the changes forward > > or is something still missing from this patch set? > > Could you please share you mind? > > > > Thanks, > > Alexey > > > > On 17.02.2020 11:02, Alexey Budankov wrote: > > > > > > Currently access to perf_events, i915_perf and other performance > > > monitoring and observability subsystems of the kernel is open only for > > > a privileged process [1] with CAP_SYS_ADMIN capability enabled in the > > > process effective set [2]. > > > > > > This patch set introduces CAP_PERFMON capability designed to secure > > > system performance monitoring and observability operations so that > > > CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role > > > for performance monitoring and observability subsystems of the kernel. > > > > > > CAP_PERFMON intends to harden system security and integrity during > > > performance monitoring and observability operations by decreasing attack > > > surface that is available to a CAP_SYS_ADMIN privileged process [2]. > > > Providing the access to performance monitoring and observability > > > operations under CAP_PERFMON capability singly, without the rest of > > > CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials > > > and makes the operation more secure. Thus, CAP_PERFMON implements the > > > principal of least privilege for performance monitoring and > > > observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of > > > least privilege: A security design principle that states that a process > > > or program be granted only those privileges (e.g., capabilities) > > > necessary to accomplish its legitimate function, and only for the time > > > that such privileges are actually required) > > > > > > CAP_PERFMON intends to meet the demand to secure system performance > > > monitoring and observability operations for adoption in security > > > sensitive, restricted, multiuser production environments (e.g. HPC > > > clusters, cloud and virtual compute environments), where root or > > > CAP_SYS_ADMIN credentials are not available to mass users of a system, > > > and securely unblock accessibility of system performance monitoring and > > > observability operations beyond root and CAP_SYS_ADMIN use cases. > > > > > > CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to > > > system performance monitoring and observability operations and balance > > > amount of CAP_SYS_ADMIN credentials following the recommendations in > > > the capabilities man page [2] for CAP_SYS_ADMIN: "Note: this capability > > > is overloaded; see Notes to kernel developers, below." For backward > > > compatibility reasons access to system performance monitoring and > > > observability subsystems of the kernel remains open for CAP_SYS_ADMIN > > > privileged processes but CAP_SYS_ADMIN capability usage for secure > > > system performance monitoring and observability operations is > > > discouraged with respect to the designed CAP_PERFMON capability. > > > > > > Possible alternative solution to this system security hardening, > > > capabilities balancing task of making performance monitoring and > > > observability operations more secure and accessible could be to use > > > the existing CAP_SYS_PTRACE capability to govern system performance > > > monitoring and observability subsystems. However CAP_SYS_PTRACE > > > capability still provides users with more credentials than are > > > required for secure performance monitoring and observability > > > operations and this excess is avoided by the designed CAP_PERFMON. > > > > > > Although software running under CAP_PERFMON can not ensure avoidance of > > > related hardware issues, the software can still mitigate those issues > > > following the official hardware issues mitigation procedure [3]. The > > > bugs in the software itself can be fixed following the standard kernel > > > development process [4] to maintain and harden security of system > > > performance monitoring and observability operations. Finally, the patch > > > set is shaped in the way that simplifies backtracking procedure of > > > possible induced issues [5] as much as possible. > > > > > > The patch set is for tip perf/core repository: > > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip perf/core > > > sha1: fdb64822443ec9fb8c3a74b598a74790ae8d2e22 > > > > > > --- > > > Changes in v7: > > > - updated and extended kernel.rst and perf-security.rst documentation > > > files with the information about CAP_PERFMON capa
Re: [Intel-gfx] [PATCH v7 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability
Thanks, this looks good to me, in keeping with the CAP_SYSLOG break. Acked-by: Serge E. Hallyn for the set. James/Ingo/Peter, if noone has remaining objections, whose branch should these go in through? thanks, -serge On Tue, Feb 25, 2020 at 12:55:54PM +0300, Alexey Budankov wrote: > > Hi, > > Is there anything else I could do in order to move the changes forward > or is something still missing from this patch set? > Could you please share you mind? > > Thanks, > Alexey > > On 17.02.2020 11:02, Alexey Budankov wrote: > > > > Currently access to perf_events, i915_perf and other performance > > monitoring and observability subsystems of the kernel is open only for > > a privileged process [1] with CAP_SYS_ADMIN capability enabled in the > > process effective set [2]. > > > > This patch set introduces CAP_PERFMON capability designed to secure > > system performance monitoring and observability operations so that > > CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role > > for performance monitoring and observability subsystems of the kernel. > > > > CAP_PERFMON intends to harden system security and integrity during > > performance monitoring and observability operations by decreasing attack > > surface that is available to a CAP_SYS_ADMIN privileged process [2]. > > Providing the access to performance monitoring and observability > > operations under CAP_PERFMON capability singly, without the rest of > > CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials > > and makes the operation more secure. Thus, CAP_PERFMON implements the > > principal of least privilege for performance monitoring and > > observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of > > least privilege: A security design principle that states that a process > > or program be granted only those privileges (e.g., capabilities) > > necessary to accomplish its legitimate function, and only for the time > > that such privileges are actually required) > > > > CAP_PERFMON intends to meet the demand to secure system performance > > monitoring and observability operations for adoption in security > > sensitive, restricted, multiuser production environments (e.g. HPC > > clusters, cloud and virtual compute environments), where root or > > CAP_SYS_ADMIN credentials are not available to mass users of a system, > > and securely unblock accessibility of system performance monitoring and > > observability operations beyond root and CAP_SYS_ADMIN use cases. > > > > CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to > > system performance monitoring and observability operations and balance > > amount of CAP_SYS_ADMIN credentials following the recommendations in > > the capabilities man page [2] for CAP_SYS_ADMIN: "Note: this capability > > is overloaded; see Notes to kernel developers, below." For backward > > compatibility reasons access to system performance monitoring and > > observability subsystems of the kernel remains open for CAP_SYS_ADMIN > > privileged processes but CAP_SYS_ADMIN capability usage for secure > > system performance monitoring and observability operations is > > discouraged with respect to the designed CAP_PERFMON capability. > > > > Possible alternative solution to this system security hardening, > > capabilities balancing task of making performance monitoring and > > observability operations more secure and accessible could be to use > > the existing CAP_SYS_PTRACE capability to govern system performance > > monitoring and observability subsystems. However CAP_SYS_PTRACE > > capability still provides users with more credentials than are > > required for secure performance monitoring and observability > > operations and this excess is avoided by the designed CAP_PERFMON. > > > > Although software running under CAP_PERFMON can not ensure avoidance of > > related hardware issues, the software can still mitigate those issues > > following the official hardware issues mitigation procedure [3]. The > > bugs in the software itself can be fixed following the standard kernel > > development process [4] to maintain and harden security of system > > performance monitoring and observability operations. Finally, the patch > > set is shaped in the way that simplifies backtracking procedure of > > possible induced issues [5] as much as possible. > > > > The patch set is for tip perf/core repository: > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip perf/core > > sha1: fdb64822443ec9fb8c3a74b598a74790ae8d2e22 > > > > --- > > Changes in v7: > > - updated and extended kernel.rst and perf-security.rst documentation > > files with the information about CAP_PERFMON capability and its use cases > > - documented the case of double audit logging of CAP_PERFMON and > > CAP_SYS_ADMIN > > capabilities on a SELinux enabled system > > Changes in v6: > > - avoided noaudit checks in perfmon_capable() to explicitly advertise > > CAP_PERFMON usage thru audit logs to