Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1826537ybv; Thu, 6 Feb 2020 10:28:41 -0800 (PST) X-Google-Smtp-Source: APXvYqyQIUcpQcjTEAjvZTCOmcawPmPIX8wr8WLGYT8LB8gfqk9Kkiu6tQ6JNfn8P5eizSX0tFGz X-Received: by 2002:a9d:1c9c:: with SMTP id l28mr30625326ota.210.1581013721202; Thu, 06 Feb 2020 10:28:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581013721; cv=none; d=google.com; s=arc-20160816; b=L/aqZ5pdwOcXeE8TDmBBZlFfgZUQIxqch6EZNmSkX8cUsXEH14og3g2miVs7btvTZ/ LoeCGf0As7EIkzFVRsB5Ag0qISdXgKOUSE3WI5MPdlkmZ3lEiGutED5o1TTjBkiI5ZXm 14CslMdEcCMyOnyABbeZFl9WQC546athAu+8eXWjNGjenp1Sol7limOUg4wAKU/W1KTS tSV2y/EMQ0de75996sv9uDt7oavajYY4OPvjbuQI398BgYt+cuMz1N38svFffXI+PTM/ nIOs1JbBajtX2w3kUP1RpUVLH2AyRtsS97s7HM0Jy07e/AnMzbyQn761YY1y0cO5sIsr kqSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject; bh=Hm0B2vPHmCGj0VDYuwsnroMAlFQIzATqKnpFaYkSRHQ=; b=UWn8DUHm5rr/8c2ZjkvD1okM/frK2Pa5UB6d6UVOrGa//EBmuQ0EMXGPKprGACXQSO rsZhFencuyxmLFHjrpckBdANawQThpVlJ/gC7pPd5EKzMMm+TyKu3MhgfNSKzJCktGZQ g57lTAw5WmyJ6sZV9SVBwAHFmEdnK5S8vf09x/mHx6Et5OOq6OPwOypVq9HEuBUEvr8n uKSwr+rQ7YQUPRg2xJB1Wn7IKi8mmDKOmr+OK7gF3pn5LMCJMKnuIbNTmLw5UUa81Y/n zRzBWmqHUxkv1OOKB3fzlv20CoYH4V6BnA370zPbuJ17enQ93Hem9EDGk7pYwiy9DAY5 ofoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q126si2653864oia.8.2020.02.06.10.28.29; Thu, 06 Feb 2020 10:28:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727831AbgBFS0e (ORCPT + 99 others); Thu, 6 Feb 2020 13:26:34 -0500 Received: from mga18.intel.com ([134.134.136.126]:16278 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726990AbgBFS0e (ORCPT ); Thu, 6 Feb 2020 13:26:34 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 10:26:33 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,410,1574150400"; d="scan'208";a="345053139" Received: from linux.intel.com ([10.54.29.200]) by fmsmga001.fm.intel.com with ESMTP; 06 Feb 2020 10:26:32 -0800 Received: from [10.251.88.4] (abudanko-mobl.ccr.corp.intel.com [10.251.88.4]) by linux.intel.com (Postfix) with ESMTP id CA6F05803E3; Thu, 6 Feb 2020 10:26:25 -0800 (PST) Subject: Re: [PATCH v6 01/10] capabilities: introduce CAP_PERFMON to kernel and user space To: Stephen Smalley , James Morris , Serge Hallyn , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "joonas.lahtinen@linux.intel.com" , Alexei Starovoitov , Will Deacon , Paul Mackerras , Michael Ellerman Cc: Andi Kleen , Thomas Gleixner , Stephane Eranian , Igor Lubashev , Jiri Olsa , linux-kernel , "intel-gfx@lists.freedesktop.org" , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , linux-arm-kernel , "linuxppc-dev@lists.ozlabs.org" , "linux-parisc@vger.kernel.org" , oprofile-list@lists.sf.net References: <576a6141-36d4-14c0-b395-8d195892b916@linux.intel.com> <5be0f67c-17e2-7861-37f3-a0f8a82be8f0@tycho.nsa.gov> From: Alexey Budankov Organization: Intel Corp. Message-ID: <1bcb4cb1-98c4-cc1a-b8e3-fd8a0e1e606f@linux.intel.com> Date: Thu, 6 Feb 2020 21:26:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <5be0f67c-17e2-7861-37f3-a0f8a82be8f0@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06.02.2020 21:23, Stephen Smalley wrote: > On 2/5/20 12:30 PM, Alexey Budankov wrote: >> >> Introduce CAP_PERFMON capability designed to secure system performance >> monitoring and observability operations so that CAP_PERFMON would assist >> CAP_SYS_ADMIN capability in its governing role for performance monitoring >> and observability subsystems. >> >> CAP_PERFMON hardens system security and integrity during performance >> monitoring and observability operations by decreasing attack surface that >> is available to a CAP_SYS_ADMIN privileged process [2]. Providing the access >> to system performance monitoring and observability operations under CAP_PERFMON >> capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes >> chances to misuse the credentials and makes the operation more secure. >> Thus, CAP_PERFMON implements the principal of least privilege for performance >> monitoring and observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle >> of least privilege: A security design principle that states that a process >> or program be granted only those privileges (e.g., capabilities) necessary >> to accomplish its legitimate function, and only for the time that such >> privileges are actually required) >> >> CAP_PERFMON meets the demand to secure system performance monitoring and >> observability operations for adoption in security sensitive, restricted, >> multiuser production environments (e.g. HPC clusters, cloud and virtual compute >> environments), where root or CAP_SYS_ADMIN credentials are not available to >> mass users of a system, and securely unblocks accessibility of system performance monitoring and observability operations beyond root and CAP_SYS_ADMIN use cases. >> >> CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system performance >> monitoring and observability operations and balances amount of CAP_SYS_ADMIN >> credentials following the recommendations in the capabilities man page [1] >> for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel >> developers, below." For backward compatibility reasons access to system >> performance monitoring and observability subsystems of the kernel remains >> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN capability >> usage for secure system performance monitoring and observability operations >> is discouraged with respect to the designed CAP_PERFMON capability. >> >> Although the software running under CAP_PERFMON can not ensure avoidance >> of related hardware issues, the software can still mitigate these issues >> following the official hardware issues mitigation procedure [2]. The bugs >> in the software itself can be fixed following the standard kernel development >> process [3] to maintain and harden security of system performance monitoring >> and observability operations. >> >> [1] http://man7.org/linux/man-pages/man7/capabilities.7.html >> [2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html >> [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html >> >> Signed-off-by: Alexey Budankov > > This will require a small update to the selinux-testsuite to correctly reflect the new capability requirements, but that's easy enough. Is the suite a part of the kernel sources or something else? ~Alexey > > Acked-by: Stephen Smalley > >> --- >>   include/linux/capability.h          | 4 ++++ >>   include/uapi/linux/capability.h     | 8 +++++++- >>   security/selinux/include/classmap.h | 4 ++-- >>   3 files changed, 13 insertions(+), 3 deletions(-) >> >> diff --git a/include/linux/capability.h b/include/linux/capability.h >> index ecce0f43c73a..027d7e4a853b 100644 >> --- a/include/linux/capability.h >> +++ b/include/linux/capability.h >> @@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct >>   extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); >>   extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); >>   extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); >> +static inline bool perfmon_capable(void) >> +{ >> +    return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); >> +} >>     /* audit system wants to get cap info from files as well */ >>   extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); >> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h >> index 240fdb9a60f6..8b416e5f3afa 100644 >> --- a/include/uapi/linux/capability.h >> +++ b/include/uapi/linux/capability.h >> @@ -366,8 +366,14 @@ struct vfs_ns_cap_data { >>     #define CAP_AUDIT_READ        37 >>   +/* >> + * Allow system performance and observability privileged operations >> + * using perf_events, i915_perf and other kernel subsystems >> + */ >> + >> +#define CAP_PERFMON        38 >>   -#define CAP_LAST_CAP         CAP_AUDIT_READ >> +#define CAP_LAST_CAP         CAP_PERFMON >>     #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) >>   diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h >> index 7db24855e12d..c599b0c2b0e7 100644 >> --- a/security/selinux/include/classmap.h >> +++ b/security/selinux/include/classmap.h >> @@ -27,9 +27,9 @@ >>           "audit_control", "setfcap" >>     #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \ >> -        "wake_alarm", "block_suspend", "audit_read" >> +        "wake_alarm", "block_suspend", "audit_read", "perfmon" >>   -#if CAP_LAST_CAP > CAP_AUDIT_READ >> +#if CAP_LAST_CAP > CAP_PERFMON >>   #error New capability defined, please update COMMON_CAP2_PERMS. >>   #endif >>   >