Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp138722ybi;
        Fri, 14 Jun 2019 20:55:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx8KRFPtxlJk/K70fI4uCecfb5nL/1rWp4cPmu2m+Nw3QD8Yrrb2/v8vNAxx35ZnFb4R8SZ
X-Received: by 2002:a63:1622:: with SMTP id w34mr38991765pgl.45.1560570940479;
        Fri, 14 Jun 2019 20:55:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560570940; cv=none;
        d=google.com; s=arc-20160816;
        b=JwoN2gdOxInBVBAW49MmI+dIepz5VWlrBBF7NIgTJDj+7iNNz6tQ9V8uUYwnrgR7z6
         WH0lb0YsYffYQ7Le+1IMeWCeDOGRFdPsv++TNR1EWBiEn++3K8b5WdRsv9P/xTfZHoD0
         dDKQUORPIqGP+atZUnwP+LGTkN4/Plb0dFnLvKdcoIvc4NncoGWOglMo6CwZxMbmN6Cj
         9DwxrRYsPYqW+xClrpqHXo4Kpv8pcM7E94T1AnSZlgv2Q3TCifSdV4TGD+UoIMTXL9vb
         d7qZkpAwTJTLmpN8TDCM2cyb+lNH9s8jvBVHKmF8UPwRa9e2qdS7XfXPwgY6xL8mqSWP
         p7ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=SbgRwul+lU3LAkD0FOw8XndXzSoPbtZglwX9996ta7s=;
        b=hG8FlniPtROls5YGE2lvD7C7K2yB6umwecAgwN3wBB1si2w34pD/xu+4yBjJ/ID7GY
         d4lyes2VPcuVEVthqYtiWJvJxHLNDmN1VjmKVhuR00u3b8tGWgam6lrEFCAsEs7iY85l
         zVCe9hsg+2Ev7xUBA3V+lMiimrTB8o+miD7rr4HcLCdn96C7PDirX5OJXKcNwspRl8rF
         u9hsSjqVayokZzd7kGZraHiM8LT5dQ2lfJ5JCHlTD5LpwMLmgNEQDdEQG3Rry3wzgDHG
         6AKzbi3nq7gogiRBdzU4ApKDSWxyUqph0gN1W49V6Ep+3X5mahzrVbUEoptS1AuEvWXw
         AGGw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 25si4404314pgw.171.2019.06.14.20.54.46;
        Fri, 14 Jun 2019 20:55:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726340AbfFODyO (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Fri, 14 Jun 2019 23:54:14 -0400
Received: from namei.org ([65.99.196.166]:39348 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726071AbfFODyN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jun 2019 23:54:13 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x5F3rkli004852;
        Sat, 15 Jun 2019 03:53:46 GMT
Date:   Fri, 14 Jun 2019 20:53:46 -0700 (PDT)
From:   James Morris <jmorris@namei.org>
To:     "Lubashev, Igor" <ilubashe@akamai.com>
cc:     Serge Hallyn <serge@hallyn.com>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve
 fsuid/fsgid across execve
In-Reply-To: <720751180a9543cfa205cd527248df7c@ustx2ex-dag1mb5.msg.corp.akamai.com>
Message-ID: <alpine.LRH.2.21.1906142049480.3646@namei.org>
References: <1560473087-27754-1-git-send-email-ilubashe@akamai.com> <alpine.LRH.2.21.1906141445010.7150@namei.org> <720751180a9543cfa205cd527248df7c@ustx2ex-dag1mb5.msg.corp.akamai.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 15 Jun 2019, Lubashev, Igor wrote:

> > On Friday, June 14, 2019, James Morris wrote:

> Unfortunately, perf is using uid==0 and euid==0 as a "capability bits".
>
> 
> In tools/perf/util/evsel.c:
> 	static bool perf_event_can_profile_kernel(void)
> 	{
> 		return geteuid() == 0 || perf_event_paranoid() == -1;
> 	}
> 
> In tools/perf/util/symbol.c:
> 	static bool symbol__read_kptr_restrict(void)
> 	{
> 	...
> 		value = ((geteuid() != 0) || (getuid() != 0)) ?
> 				(atoi(line) != 0) :
> 				(atoi(line) == 2);
> 	...
> 	}

These are bugs. They should be checking for CAP_SYS_ADMIN.


> 
> > Have you considered the example security configuration in
> > Documentation/admin-guide/perf-security.rst ?
> 
> Unfortunately, this configuration does not work, unless you reset 
> /proc/sys/kernel/perf_event_paranoid to a permissive level (see code 
> above). We have perf_event_paranoid set to 2. If it worked, we could had 
> implemented the same capability-based policy in the wrapper.

This is not necessary for a process which has CAP_SYS_ADMIN.


-- 
James Morris
<jmorris@namei.org>