Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2459787ybl; Mon, 20 Jan 2020 03:24:22 -0800 (PST) X-Google-Smtp-Source: APXvYqzRPXxbF+Kb2Vtgn9b7FR9MUH//TiwXhSfTA12vuL9aopdLPIPLX7ayTnpKzI/f2DZWhclY X-Received: by 2002:a9d:7999:: with SMTP id h25mr15559666otm.347.1579519462514; Mon, 20 Jan 2020 03:24:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579519462; cv=none; d=google.com; s=arc-20160816; b=MkkJNzwsfw7yQMFl91uTa3SZQko+uaMhtb0sbwx9t/yaMVVAANhtmkvm2Dcm3h6JAJ qWpq1GEQ2IZVic0sTJe/tquE5Ekczm+EwB+jzErOYpRMbli594A9twIujC/ME2UZie8W aicSkrxt7osxAGIOXxcxAQVC9X4dcvQjx6/+6a0AvRTQzI7A+49TtZ6U0ZNkBm1CO4Xa jVOwWAOXHLv5VCV4xmlKC61RdwNkto/P9chXTtV0ci5Me8KJ6EHeHyIVLFm2Q5Sh1ITx OohV+2LFzrYkrdQQMDm/uN5Ls3SDncMfKdH1cRaXyUNZqvR7OLFj5zKLnk0EsL9Venrp rI1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:references:cc:to:from:subject; bh=OyRRkIZqaR4TWgeTSJK5fnlvfVp3J5nWgiBJRIQv5OI=; b=DlMJ4uyGcrHdbJ3Nn7unueadSibuihiqZcKcBhWUCes39hyYdiiN68VBVDRJTsLbbt vZQbec2ny1BAeEOWcOm/g0chaSIo3zQrIvdvGMSk5YGLCfzf8pBJ9v24zj47d95lo+SD wVv3QrelgRvHkqGnZXghYJ/gMvAt5WgCTr+RyjfO9AiBD1AKnvO0z5fLJ+pca3oSfQmz B9cyuApxjaOUDU+ezSwKFp0kJD1LVlzkHqLwcLjuqjs1NScDQNUcVdULGWaLUGmIsxJL ca1nLKQvt8hE/DzAykHnzA5ZSj5LNc5QiKJ6liyqY52bfeckAHk4ikCw96qp5TAXZuN/ 1Egg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k19si19067577otr.52.2020.01.20.03.24.08; Mon, 20 Jan 2020 03:24:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726796AbgATLXM (ORCPT + 99 others); Mon, 20 Jan 2020 06:23:12 -0500 Received: from mga14.intel.com ([192.55.52.115]:41716 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726573AbgATLXM (ORCPT ); Mon, 20 Jan 2020 06:23:12 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Jan 2020 03:23:11 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,341,1574150400"; d="scan'208";a="244380297" Received: from linux.intel.com ([10.54.29.200]) by orsmga002.jf.intel.com with ESMTP; 20 Jan 2020 03:23:10 -0800 Received: from [10.125.252.193] (abudanko-mobl.ccr.corp.intel.com [10.125.252.193]) by linux.intel.com (Postfix) with ESMTP id 386365802C1; Mon, 20 Jan 2020 03:23:01 -0800 (PST) Subject: [PATCH v5 01/10] capabilities: introduce CAP_PERFMON to kernel and user space From: Alexey Budankov To: Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "jani.nikula@linux.intel.com" , "joonas.lahtinen@linux.intel.com" , "rodrigo.vivi@intel.com" , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "james.bottomley@hansenpartnership.com" , Serge Hallyn , James Morris , Will Deacon , Mark Rutland , Robert Richter , Alexei Starovoitov Cc: Jiri Olsa , Andi Kleen , Stephane Eranian , Igor Lubashev , Alexander Shishkin , Namhyung Kim , Song Liu , Lionel Landwerlin , Thomas Gleixner , linux-kernel , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "linux-parisc@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , linux-arm-kernel@lists.infradead.org, "linux-perf-users@vger.kernel.org" , oprofile-list@lists.sf.net References: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> Organization: Intel Corp. Message-ID: <9b77124b-675d-5ac7-3741-edec575bd425@linux.intel.com> Date: Mon, 20 Jan 2020 14:23:00 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <0548c832-7f4b-dc4c-8883-3f2b6d351a08@linux.intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Introduce CAP_PERFMON capability designed to secure system performance monitoring and observability operations so that CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role for perf_events, i915_perf and other performance monitoring and observability subsystems. CAP_PERFMON intends to harden system security and integrity during system performance monitoring and observability operations by decreasing attack surface that is available to a CAP_SYS_ADMIN privileged process [1]. Providing access to system performance monitoring and observability operations under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes operation more secure. CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to system performance monitoring and observability operations and balance amount of CAP_SYS_ADMIN credentials following the recommendations in the capabilities man page [1] for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel developers, below." Although the software running under CAP_PERFMON can not ensure avoidance of related hardware issues, the software can still mitigate these issues following the official embargoed hardware issues mitigation procedure [2]. The bugs in the software itself could be fixed following the standard kernel development process [3] to maintain and harden security of system performance monitoring and observability operations. [1] http://man7.org/linux/man-pages/man7/capabilities.7.html [2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html Signed-off-by: Alexey Budankov --- include/linux/capability.h | 12 ++++++++++++ include/uapi/linux/capability.h | 8 +++++++- security/selinux/include/classmap.h | 4 ++-- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index ecce0f43c73a..8784969d91e1 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -251,6 +251,18 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); +static inline bool perfmon_capable(void) +{ + struct user_namespace *ns = &init_user_ns; + + if (ns_capable_noaudit(ns, CAP_PERFMON)) + return ns_capable(ns, CAP_PERFMON); + + if (ns_capable_noaudit(ns, CAP_SYS_ADMIN)) + return ns_capable(ns, CAP_SYS_ADMIN); + + return false; +} /* audit system wants to get cap info from files as well */ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 240fdb9a60f6..8b416e5f3afa 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -366,8 +366,14 @@ struct vfs_ns_cap_data { #define CAP_AUDIT_READ 37 +/* + * Allow system performance and observability privileged operations + * using perf_events, i915_perf and other kernel subsystems + */ + +#define CAP_PERFMON 38 -#define CAP_LAST_CAP CAP_AUDIT_READ +#define CAP_LAST_CAP CAP_PERFMON #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 7db24855e12d..c599b0c2b0e7 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -27,9 +27,9 @@ "audit_control", "setfcap" #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ - "wake_alarm", "block_suspend", "audit_read" + "wake_alarm", "block_suspend", "audit_read", "perfmon" -#if CAP_LAST_CAP > CAP_AUDIT_READ +#if CAP_LAST_CAP > CAP_PERFMON #error New capability defined, please update COMMON_CAP2_PERMS. #endif -- 2.20.1