Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3471706ybv; Tue, 25 Feb 2020 01:56:27 -0800 (PST) X-Google-Smtp-Source: APXvYqwfygvj13cL4jjhQnnPIzCo5Gszm0bSGXh0VwjTMr/AmUeM0L+00qiYujwhgnhdo9ve8MVi X-Received: by 2002:a05:6830:18f5:: with SMTP id d21mr43351774otf.225.1582624587008; Tue, 25 Feb 2020 01:56:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582624587; cv=none; d=google.com; s=arc-20160816; b=vK1Wjb+WnLyGHZetpb4OTF40wu372xqLUIB4qIW/gdwjRIAjnCRP5cVhAnjTMFd71d 43v+LJywEaNhhVD6voLEuCZAmTUJ5DBs7ppvCuGwt2pAK3HkuuQIEHuFFcXxZ2GqBFJp YexJSKzZWsdrmJR3AuCYADGskgQRnK6Bi+LNUd4E68GAWSXRj1pp+3ul2K1BYO/J5L3w 0npi8Qwn4vGKXhzwLzkhNaV7x+hR+k/LQe9L7Rn615qePsHR925fHejg+yFNyWMteZVI NuMzf9mJfqTB0j62YIl0DA2Vm70L9TRLFa0hNbJOkJnKvqQGlRNX52bfY+5hlcvkH6nP wwHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:references:cc:to:subject:from; bh=TX0RahGMWE00rVXPUpye5O9VNOdCRX0CXIwr4KZ5nYs=; b=demgCtWIpMvLYSHq07kI6sQlu9TS8GVyt1S9MGt3TW2JVUUj6ny2WSdidRhon9gf3d FiCtABb7grL6+2e0dqg/cSZHI6gKG5ulHfYmoTDeTVsGvpCkv1j2hwN/m0GNMjG00vS4 g0YmakGLRygd3TX0gmQJZnKDBCGAI8NhTVEw2awIyezzFLCL6k4EbQAqEXyV2FMFgWH5 EwQ0IX/K6oRtc9Q+0d7EdZaM1WJecWmwKVyH2ctDY6/rXClb4ce9sXzpPIVVhSiGTIzI XPrGPJVS4p4d4Jt8qV53N0StczEXckWuUw1qFn2RlPWOC9v4a7BVq7EnPfSwD8bm2izp m1Zg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p19si7579126otq.296.2020.02.25.01.56.14; Tue, 25 Feb 2020 01:56:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729416AbgBYJ4E (ORCPT + 99 others); Tue, 25 Feb 2020 04:56:04 -0500 Received: from mga03.intel.com ([134.134.136.65]:23639 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725788AbgBYJ4D (ORCPT ); Tue, 25 Feb 2020 04:56:03 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Feb 2020 01:56:01 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,483,1574150400"; d="scan'208";a="317039975" Received: from linux.intel.com ([10.54.29.200]) by orsmga001.jf.intel.com with ESMTP; 25 Feb 2020 01:56:01 -0800 Received: from [10.125.253.45] (abudanko-mobl.ccr.corp.intel.com [10.125.253.45]) by linux.intel.com (Postfix) with ESMTP id 3429A58052E; Tue, 25 Feb 2020 01:55:54 -0800 (PST) From: Alexey Budankov Subject: Re: [PATCH v7 00/12] Introduce CAP_PERFMON to secure system performance monitoring and observability To: James Morris , Serge Hallyn , Stephen Smalley , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "joonas.lahtinen@linux.intel.com" , Alexei Starovoitov , Will Deacon , Paul Mackerras , Helge Deller , Thomas Gleixner Cc: Andi Kleen , Stephane Eranian , Igor Lubashev , Jiri Olsa , linux-kernel , "intel-gfx@lists.freedesktop.org" , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , linux-arm-kernel , "linuxppc-dev@lists.ozlabs.org" , "linux-parisc@vger.kernel.org" , oprofile-list@lists.sf.net, "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org References: Organization: Intel Corp. Message-ID: <3ae0bed5-204e-de81-7647-5f0d8106cd67@linux.intel.com> Date: Tue, 25 Feb 2020 12:55:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Is there anything else I could do in order to move the changes forward or is something still missing from this patch set? Could you please share you mind? Thanks, Alexey On 17.02.2020 11:02, Alexey Budankov wrote: > > Currently access to perf_events, i915_perf and other performance > monitoring and observability subsystems of the kernel is open only for > a privileged process [1] with CAP_SYS_ADMIN capability enabled in the > process effective set [2]. > > This patch set introduces CAP_PERFMON capability designed to secure > system performance monitoring and observability operations so that > CAP_PERFMON would assist CAP_SYS_ADMIN capability in its governing role > for performance monitoring and observability subsystems of the kernel. > > CAP_PERFMON intends to harden system security and integrity during > performance monitoring and observability operations by decreasing attack > surface that is available to a CAP_SYS_ADMIN privileged process [2]. > Providing the access to performance monitoring and observability > operations under CAP_PERFMON capability singly, without the rest of > CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials > and makes the operation more secure. Thus, CAP_PERFMON implements the > principal of least privilege for performance monitoring and > observability operations (POSIX IEEE 1003.1e: 2.2.2.39 principle of > least privilege: A security design principle that states that a process > or program be granted only those privileges (e.g., capabilities) > necessary to accomplish its legitimate function, and only for the time > that such privileges are actually required) > > CAP_PERFMON intends to meet the demand to secure system performance > monitoring and observability operations for adoption in security > sensitive, restricted, multiuser production environments (e.g. HPC > clusters, cloud and virtual compute environments), where root or > CAP_SYS_ADMIN credentials are not available to mass users of a system, > and securely unblock accessibility of system performance monitoring and > observability operations beyond root and CAP_SYS_ADMIN use cases. > > CAP_PERFMON intends to take over CAP_SYS_ADMIN credentials related to > system performance monitoring and observability operations and balance > amount of CAP_SYS_ADMIN credentials following the recommendations in > the capabilities man page [2] for CAP_SYS_ADMIN: "Note: this capability > is overloaded; see Notes to kernel developers, below." For backward > compatibility reasons access to system performance monitoring and > observability subsystems of the kernel remains open for CAP_SYS_ADMIN > privileged processes but CAP_SYS_ADMIN capability usage for secure > system performance monitoring and observability operations is > discouraged with respect to the designed CAP_PERFMON capability. > > Possible alternative solution to this system security hardening, > capabilities balancing task of making performance monitoring and > observability operations more secure and accessible could be to use > the existing CAP_SYS_PTRACE capability to govern system performance > monitoring and observability subsystems. However CAP_SYS_PTRACE > capability still provides users with more credentials than are > required for secure performance monitoring and observability > operations and this excess is avoided by the designed CAP_PERFMON. > > Although software running under CAP_PERFMON can not ensure avoidance of > related hardware issues, the software can still mitigate those issues > following the official hardware issues mitigation procedure [3]. The > bugs in the software itself can be fixed following the standard kernel > development process [4] to maintain and harden security of system > performance monitoring and observability operations. Finally, the patch > set is shaped in the way that simplifies backtracking procedure of > possible induced issues [5] as much as possible. > > The patch set is for tip perf/core repository: > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip perf/core > sha1: fdb64822443ec9fb8c3a74b598a74790ae8d2e22 > > --- > Changes in v7: > - updated and extended kernel.rst and perf-security.rst documentation > files with the information about CAP_PERFMON capability and its use cases > - documented the case of double audit logging of CAP_PERFMON and CAP_SYS_ADMIN > capabilities on a SELinux enabled system > Changes in v6: > - avoided noaudit checks in perfmon_capable() to explicitly advertise > CAP_PERFMON usage thru audit logs to secure system performance > monitoring and observability > Changes in v5: > - renamed CAP_SYS_PERFMON to CAP_PERFMON > - extended perfmon_capable() with noaudit checks > Changes in v4: > - converted perfmon_capable() into an inline function > - made perf_events kprobes, uprobes, hw breakpoints and namespaces data > available to CAP_SYS_PERFMON privileged processes > - applied perfmon_capable() to drivers/perf and drivers/oprofile > - extended __cmd_ftrace() with support of CAP_SYS_PERFMON > Changes in v3: > - implemented perfmon_capable() macros aggregating required capabilities > checks > Changes in v2: > - made perf_events trace points available to CAP_SYS_PERFMON privileged > processes > - made perf_event_paranoid_check() treat CAP_SYS_PERFMON equally to > CAP_SYS_ADMIN > - applied CAP_SYS_PERFMON to i915_perf, bpf_trace, powerpc and parisc > system performance monitoring and observability related subsystems > > --- > Alexey Budankov (12): > capabilities: introduce CAP_PERFMON to kernel and user space > perf/core: open access to the core for CAP_PERFMON privileged process > perf/core: open access to probes for CAP_PERFMON privileged process > perf tool: extend Perf tool with CAP_PERFMON capability support > drm/i915/perf: open access for CAP_PERFMON privileged process > trace/bpf_trace: open access for CAP_PERFMON privileged process > powerpc/perf: open access for CAP_PERFMON privileged process > parisc/perf: open access for CAP_PERFMON privileged process > drivers/perf: open access for CAP_PERFMON privileged process > drivers/oprofile: open access for CAP_PERFMON privileged process > doc/admin-guide: update perf-security.rst with CAP_PERFMON information > doc/admin-guide: update kernel.rst with CAP_PERFMON information > > Documentation/admin-guide/perf-security.rst | 65 +++++++++++++-------- > Documentation/admin-guide/sysctl/kernel.rst | 16 +++-- > arch/parisc/kernel/perf.c | 2 +- > arch/powerpc/perf/imc-pmu.c | 4 +- > drivers/gpu/drm/i915/i915_perf.c | 13 ++--- > drivers/oprofile/event_buffer.c | 2 +- > drivers/perf/arm_spe_pmu.c | 4 +- > include/linux/capability.h | 4 ++ > include/linux/perf_event.h | 6 +- > include/uapi/linux/capability.h | 8 ++- > kernel/events/core.c | 6 +- > kernel/trace/bpf_trace.c | 2 +- > security/selinux/include/classmap.h | 4 +- > tools/perf/builtin-ftrace.c | 5 +- > tools/perf/design.txt | 3 +- > tools/perf/util/cap.h | 4 ++ > tools/perf/util/evsel.c | 10 ++-- > tools/perf/util/util.c | 1 + > 18 files changed, 98 insertions(+), 61 deletions(-) > > --- > Validation (Intel Skylake, 8 cores, Fedora 29, 5.5.0-rc3+, x86_64): > > libcap library [6], [7], [8] and Perf tool can be used to apply > CAP_PERFMON capability for secure system performance monitoring and > observability beyond the scope permitted by the system wide > perf_event_paranoid kernel setting [9] and below are the steps for > evaluation: > > - patch, build and boot the kernel > - patch, build Perf tool e.g. to /home/user/perf > ... > # git clone git://git.kernel.org/pub/scm/libs/libcap/libcap.git libcap > # pushd libcap > # patch libcap/include/uapi/linux/capabilities.h with [PATCH 1] > # make > # pushd progs > # ./setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" /home/user/perf > # ./setcap -v "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" /home/user/perf > /home/user/perf: OK > # ./getcap /home/user/perf > /home/user/perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep > # echo 2 > /proc/sys/kernel/perf_event_paranoid > # cat /proc/sys/kernel/perf_event_paranoid > 2 > ... > $ /home/user/perf top > ... works as expected ... > $ cat /proc/`pidof perf`/status > Name: perf > Umask: 0002 > State: S (sleeping) > Tgid: 2958 > Ngid: 0 > Pid: 2958 > PPid: 9847 > TracerPid: 0 > Uid: 500 500 500 500 > Gid: 500 500 500 500 > FDSize: 256 > ... > CapInh: 0000000000000000 > CapPrm: 0000004400080000 > CapEff: 0000004400080000 => 01000100 00000000 00001000 00000000 00000000 > cap_perfmon,cap_sys_ptrace,cap_syslog > CapBnd: 0000007fffffffff > CapAmb: 0000000000000000 > NoNewPrivs: 0 > Seccomp: 0 > Speculation_Store_Bypass: thread vulnerable > Cpus_allowed: ff > Cpus_allowed_list: 0-7 > ... > > Usage of cap_perfmon effectively avoids unused credentials excess: > > - with cap_sys_admin: > CapEff: 0000007fffffffff => 01111111 11111111 11111111 11111111 11111111 > > - with cap_perfmon: > CapEff: 0000004400080000 => 01000100 00000000 00001000 00000000 00000000 > 38 34 19 > perfmon syslog sys_ptrace > > --- > [1] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html > [2] http://man7.org/linux/man-pages/man7/capabilities.7.html > [3] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html > [4] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html > [5] https://www.kernel.org/doc/html/latest/process/management-style.html#decisions > [6] http://man7.org/linux/man-pages/man8/setcap.8.html > [7] https://git.kernel.org/pub/scm/libs/libcap/libcap.git > [8] https://sites.google.com/site/fullycapable/, posix_1003.1e-990310.pdf > [9] http://man7.org/linux/man-pages/man2/perf_event_open.2.html >