Assignment of CAP_PERFMON [1] Linux capability to an executable located
on a file system requires extended attributes (xattrs) [2] to be supported
by the file system. Even if the file system supports xattrs an fs device
should be mounted with permission to use xattrs for files located on the
device (e.g. without nosuid option [3]). No xattrs support and nosuid
mounts are quite common in HPC and Cloud multiuser environments thus
applicability of privileged Perf user groups based on file capabilities
[4] is limited in that environments. Alternative method to confer Linux
capabilities into a process does still exist and it is thru creation of
capabilities-enabled-semi-privileged shell environment. Usage of this
method to extend privileged Perf user groups approach is documented in
this patch set as an extension to perf-security.rst admin guide file.
[1] https://man7.org/linux/man-pages/man7/capabilities.7.html
[2] https://man7.org/linux/man-pages/man7/xattr.7.html
[3] https://man7.org/linux/man-pages/man8/mount.8.html
[4] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#privileged-perf-users-groups
---
Alexey Budankov (2):
doc/admin-guide: note credentials consolidation under CAP_PERFMON
doc/admin-guide: document creation of CAP_PERFMON privileged shell
Documentation/admin-guide/perf-security.rst | 81 ++++++++++++++++++---
1 file changed, 70 insertions(+), 11 deletions(-)
--
2.24.1
Add note that starting from Linux v5.9 CAP_PERFMON Linux capability
is enough to conduct performance monitoring and observability using
perf_events API.
Signed-off-by: Alexey Budankov <[email protected]>
---
Documentation/admin-guide/perf-security.rst | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst
index 1307b5274a0f..57a65e27eeb9 100644
--- a/Documentation/admin-guide/perf-security.rst
+++ b/Documentation/admin-guide/perf-security.rst
@@ -84,11 +84,14 @@ capabilities then providing the process with CAP_PERFMON capability singly
is recommended as the preferred secure approach to resolve double access
denial logging related to usage of performance monitoring and observability.
-Unprivileged processes using perf_events system call are also subject
-for PTRACE_MODE_READ_REALCREDS ptrace access mode check [7]_ , whose
-outcome determines whether monitoring is permitted. So unprivileged
-processes provided with CAP_SYS_PTRACE capability are effectively
-permitted to pass the check.
+Prior Linux v5.9 unprivileged processes using perf_events system call
+are also subject for PTRACE_MODE_READ_REALCREDS ptrace access mode check
+[7]_ , whose outcome determines whether monitoring is permitted.
+So unprivileged processes provided with CAP_SYS_PTRACE capability are
+effectively permitted to pass the check. Starting from Linux v5.9
+CAP_SYS_PTRACE capability is not required and CAP_PERFMON is enough to
+be provided for processes to make performance monitoring and observability
+operations.
Other capabilities being granted to unprivileged processes can
effectively enable capturing of additional data required for later
--
2.24.1
Document steps to create CAP_PERFMON privileged shell to unblock
Perf tool usage in cases when capabilities can't be assigned to
an executable due to limitations of used file system.
Suggested-by: Andi Kleen <[email protected]>
Signed-off-by: Alexey Budankov <[email protected]>
---
Documentation/admin-guide/perf-security.rst | 68 +++++++++++++++++++--
1 file changed, 62 insertions(+), 6 deletions(-)
diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst
index 57a65e27eeb9..904e4eb37f99 100644
--- a/Documentation/admin-guide/perf-security.rst
+++ b/Documentation/admin-guide/perf-security.rst
@@ -102,11 +102,11 @@ CAP_SYSLOG capability permits reading kernel space memory addresses from
Privileged Perf users groups
---------------------------------
-Mechanisms of capabilities, privileged capability-dumb files [6]_ and
-file system ACLs [10]_ can be used to create dedicated groups of
-privileged Perf users who are permitted to execute performance monitoring
-and observability without scope limits. The following steps can be
-taken to create such groups of privileged Perf users.
+Mechanisms of capabilities, privileged capability-dumb files [6]_,
+file system ACLs [10]_ and sudo [15]_ utility can be used to create
+dedicated groups of privileged Perf users who are permitted to execute
+performance monitoring and observability without limits. The following
+steps can be taken to create such groups of privileged Perf users.
1. Create perf_users group of privileged Perf users, assign perf_users
group to Perf tool executable and limit access to the executable for
@@ -136,7 +136,7 @@ taken to create such groups of privileged Perf users.
# getcap perf
perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep
-If the libcap installed doesn't yet support "cap_perfmon", use "38" instead,
+If the libcap [16]_ installed doesn't yet support "cap_perfmon", use "38" instead,
i.e.:
::
@@ -162,6 +162,60 @@ performance monitoring and observability by using functionality of the
configured Perf tool executable that, when executes, passes perf_events
subsystem scope checks.
+In case Perf tool executable can't be assigned required capabilities (e.g.
+file system is mounted with nosuid option or extended attributes are
+not supported by the file system) then creation of the capabilities
+privileged environment, naturally shell, is possible. The shell provides
+inherent processes with CAP_PERFMON and other required capabilities so that
+performance monitoring and observability operations are available in the
+environment without limits. Access to the environment can be open via sudo
+utility for members of perf_users group only. In order to create such
+environment:
+
+1. Create shell script that uses capsh utility [16]_ to assign CAP_PERFMON
+ and other required capabilities into ambient capability set of the shell
+ process, lock the process security bits after enabling SECBIT_NO_SETUID_FIXUP,
+ SECBIT_NOROOT and SECBIT_NO_CAP_AMBIENT_RAISE bits and then change
+ the process identity to sudo caller of the script who should essentially
+ be a member of perf_users group:
+
+::
+
+ # ls -alh /usr/local/bin/perf.shell
+ -rwxr-xr-x. 1 root root 83 Oct 13 23:57 /usr/local/bin/perf.shell
+ # cat /usr/local/bin/perf.shell
+ exec /usr/sbin/capsh --iab=^cap_perfmon --secbits=239 --user=$SUDO_USER -- -l
+
+2. Extend sudo policy at /etc/sudoers file with a rule for perf_users group:
+
+::
+
+ # grep perf_users /etc/sudoers
+ %perf_users ALL=/usr/local/bin/perf.shell
+
+3. Check that members of perf_users group have access to the privileged
+ shell and have CAP_PERFMON and other required capabilities enabled
+ in permitted, effective and ambient capability sets of an inherent process:
+
+::
+
+ $ id
+ uid=1003(capsh_test) gid=1004(capsh_test) groups=1004(capsh_test),1000(perf_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+ $ sudo perf.shell
+ [sudo] password for capsh_test:
+ $ grep Cap /proc/self/status
+ CapInh: 0000004000000000
+ CapPrm: 0000004000000000
+ CapEff: 0000004000000000
+ CapBnd: 000000ffffffffff
+ CapAmb: 0000004000000000
+ $ capsh --decode=0000004000000000
+ 0x0000004000000000=cap_perfmon
+
+As a result, members of perf_users group have access to the privileged
+environment where they can use tools employing performance monitoring APIs
+governed by CAP_PERFMON Linux capability.
+
This specific access control management is only available to superuser
or root running processes with CAP_SETPCAP, CAP_SETFCAP [6]_
capabilities.
@@ -267,3 +321,5 @@ Bibliography
.. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_
.. [13] `<https://sites.google.com/site/fullycapable>`_
.. [14] `<http://man7.org/linux/man-pages/man8/auditd.8.html>`_
+.. [15] `<https://man7.org/linux/man-pages/man8/sudo.8.html>`_
+.. [16] `<https://git.kernel.org/pub/scm/libs/libcap/libcap.git/>`_
--
2.24.1
Em Mon, Oct 19, 2020 at 08:15:14PM +0300, Alexey Budankov escreveu:
>
> Assignment of CAP_PERFMON [1] Linux capability to an executable located
> on a file system requires extended attributes (xattrs) [2] to be supported
> by the file system. Even if the file system supports xattrs an fs device
> should be mounted with permission to use xattrs for files located on the
> device (e.g. without nosuid option [3]). No xattrs support and nosuid
> mounts are quite common in HPC and Cloud multiuser environments thus
> applicability of privileged Perf user groups based on file capabilities
> [4] is limited in that environments. Alternative method to confer Linux
> capabilities into a process does still exist and it is thru creation of
> capabilities-enabled-semi-privileged shell environment. Usage of this
> method to extend privileged Perf user groups approach is documented in
> this patch set as an extension to perf-security.rst admin guide file.
>
> [1] https://man7.org/linux/man-pages/man7/capabilities.7.html
> [2] https://man7.org/linux/man-pages/man7/xattr.7.html
> [3] https://man7.org/linux/man-pages/man8/mount.8.html
> [4] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#privileged-perf-users-groups
Thanks, applied.
- Arnaldo
> ---
> Alexey Budankov (2):
> doc/admin-guide: note credentials consolidation under CAP_PERFMON
> doc/admin-guide: document creation of CAP_PERFMON privileged shell
>
> Documentation/admin-guide/perf-security.rst | 81 ++++++++++++++++++---
> 1 file changed, 70 insertions(+), 11 deletions(-)
>
> --
> 2.24.1
>
--
- Arnaldo