Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp461378ybb; Fri, 3 Apr 2020 06:09:48 -0700 (PDT) X-Google-Smtp-Source: APiQypKNVwDmjXzB0U5AQmizhFS59Jvidhuu0BRiQ6S2zC9KuSgf4qUWfYFHVlOAtgWC8WipI8x1 X-Received: by 2002:a9d:468b:: with SMTP id z11mr6437069ote.311.1585919388790; Fri, 03 Apr 2020 06:09:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585919388; cv=none; d=google.com; s=arc-20160816; b=uMuDyLoIYX3aRotIT5/xpePNF6CTd0SrSLQ5SydKn+L8ffdptzwBuIINqa6cLJhM8A ImEv7DUr2nGtRclscg20QyHJfiujLIe04Hmj0JQnN6vpb0cAF/OcVNYf98nBbyPvbpon POKr/NxZIf66pACHXNcC5TnpajMk5LLJv3FfNXRiUHGbXi65bgQ+DxtNEO5opzAIKSxv 7i0RcWhMdBS0AG6TxHmyvnfu68XHziDh6NAllzYM7cYCf5MCqmub6fHetcf+f3J4r0K0 gqhWGP+QBwpKWmqKWcjFnmOVBwCzSgkawJfn0GdhTyBRo5n/1Z+b7SmECyTvHuP5Zy+b C73w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject:ironport-sdr :ironport-sdr; bh=T7xljjkf6vvtuNWLFh2/e60uk7kq6FI4O2g3F9K9plg=; b=0+o1sikIY0yIaF1F8/G/D+6yKmNAQNPIEoihREP6BjGCFL9PxKb0Efp4+YgCTLPQB1 R6cC/UAxB4EEauDn8n0fLwAJddW6s0xJUQmjQJvCAm/RG3jzlPtWILAArXz/qGD3DUpP bvSdlk8DRxmFlHNdmoTjm7u3WHJMRWZ9/Fw957cltXcIlz3cyU1w+LCYSxVZVMJMtjwG gBWki5bXu4Sgp27tD7LkEDSzPWVMYvlLdsuaympEQmFZiFKy8g8SICP1jWnsCM9xB/P/ NcHq12TgofSnhzAt5ztbeRXu5jhkZpw4Ug2PIANGRedA7EsFz33avGTSzYsDAlhqv3rF Ok0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t19si3797201otq.0.2020.04.03.06.09.31; Fri, 03 Apr 2020 06:09:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403885AbgDCNI0 (ORCPT + 99 others); Fri, 3 Apr 2020 09:08:26 -0400 Received: from mga05.intel.com ([192.55.52.43]:24643 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728001AbgDCNIZ (ORCPT ); Fri, 3 Apr 2020 09:08:25 -0400 IronPort-SDR: 5jBA5CXyyVaTeLdtl8N4Ty8c2GLxNh95x6P1IMrPwDA6uJftsIf8E6OiOcU+ysUbVTncm+/8Ls pGseaCdHKYew== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Apr 2020 06:08:24 -0700 IronPort-SDR: eRbNnU/rrDVFmfPF1paXBtVE7T+boFiNmimnvsynFAx7AqUKmKsq45Gu0Hyf0/gNHc14/OXMM+ ZhahdNoYwqYg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,339,1580803200"; d="scan'208";a="273943090" Received: from linux.intel.com ([10.54.29.200]) by fmsmga004.fm.intel.com with ESMTP; 03 Apr 2020 06:08:23 -0700 Received: from [10.249.254.224] (abudanko-mobl.ccr.corp.intel.com [10.249.254.224]) by linux.intel.com (Postfix) with ESMTP id 3E6E958077B; Fri, 3 Apr 2020 06:08:17 -0700 (PDT) Subject: Re: [PATCH v8 04/12] perf tool: extend Perf tool with CAP_PERFMON capability support To: Jiri Olsa Cc: Peter Zijlstra , Arnaldo Carvalho de Melo , Alexei Starovoitov , Ingo Molnar , James Morris , Namhyung Kim , Serge Hallyn , Song Liu , Andi Kleen , Stephane Eranian , Igor Lubashev , Thomas Gleixner , linux-kernel , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , "intel-gfx@lists.freedesktop.org" , "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org References: <20200403110828.GL2784502@krava> From: Alexey Budankov Organization: Intel Corp. Message-ID: <56648455-3650-1fa2-6364-659d92d5dc14@linux.intel.com> Date: Fri, 3 Apr 2020 16:08:16 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200403110828.GL2784502@krava> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03.04.2020 14:08, Jiri Olsa wrote: > On Thu, Apr 02, 2020 at 11:47:35AM +0300, Alexey Budankov wrote: >> >> Extend error messages to mention CAP_PERFMON capability as an option >> to substitute CAP_SYS_ADMIN capability for secure system performance >> monitoring and observability operations. Make perf_event_paranoid_check() >> and __cmd_ftrace() to be aware of CAP_PERFMON capability. >> >> CAP_PERFMON implements the principal of least privilege for performance >> monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 >> principle of least privilege: A security design principle that states >> that a process or program be granted only those privileges (e.g., >> capabilities) necessary to accomplish its legitimate function, and only >> for the time that such privileges are actually required) >> >> For backward compatibility reasons access to perf_events subsystem remains >> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for >> secure perf_events monitoring is discouraged with respect to CAP_PERFMON >> capability. >> >> Signed-off-by: Alexey Budankov >> Reviewed-by: James Morris > > Acked-by: Jiri Olsa Thanks! I appreciate you support. ~Alexey > > thanks, > jirka > >> --- >> tools/perf/builtin-ftrace.c | 5 +++-- >> tools/perf/design.txt | 3 ++- >> tools/perf/util/cap.h | 4 ++++ >> tools/perf/util/evsel.c | 10 +++++----- >> tools/perf/util/util.c | 1 + >> 5 files changed, 15 insertions(+), 8 deletions(-) >> >> diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c >> index d5adc417a4ca..55eda54240fb 100644 >> --- a/tools/perf/builtin-ftrace.c >> +++ b/tools/perf/builtin-ftrace.c >> @@ -284,10 +284,11 @@ static int __cmd_ftrace(struct perf_ftrace *ftrace, int argc, const char **argv) >> .events = POLLIN, >> }; >> >> - if (!perf_cap__capable(CAP_SYS_ADMIN)) { >> + if (!(perf_cap__capable(CAP_PERFMON) || >> + perf_cap__capable(CAP_SYS_ADMIN))) { >> pr_err("ftrace only works for %s!\n", >> #ifdef HAVE_LIBCAP_SUPPORT >> - "users with the SYS_ADMIN capability" >> + "users with the CAP_PERFMON or CAP_SYS_ADMIN capability" >> #else >> "root" >> #endif >> diff --git a/tools/perf/design.txt b/tools/perf/design.txt >> index 0453ba26cdbd..a42fab308ff6 100644 >> --- a/tools/perf/design.txt >> +++ b/tools/perf/design.txt >> @@ -258,7 +258,8 @@ gets schedule to. Per task counters can be created by any user, for >> their own tasks. >> >> A 'pid == -1' and 'cpu == x' counter is a per CPU counter that counts >> -all events on CPU-x. Per CPU counters need CAP_SYS_ADMIN privilege. >> +all events on CPU-x. Per CPU counters need CAP_PERFMON or CAP_SYS_ADMIN >> +privilege. >> >> The 'flags' parameter is currently unused and must be zero. >> >> diff --git a/tools/perf/util/cap.h b/tools/perf/util/cap.h >> index 051dc590ceee..ae52878c0b2e 100644 >> --- a/tools/perf/util/cap.h >> +++ b/tools/perf/util/cap.h >> @@ -29,4 +29,8 @@ static inline bool perf_cap__capable(int cap __maybe_unused) >> #define CAP_SYSLOG 34 >> #endif >> >> +#ifndef CAP_PERFMON >> +#define CAP_PERFMON 38 >> +#endif >> + >> #endif /* __PERF_CAP_H */ >> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c >> index 816d930d774e..2696922f06bc 100644 >> --- a/tools/perf/util/evsel.c >> +++ b/tools/perf/util/evsel.c >> @@ -2507,14 +2507,14 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, >> "You may not have permission to collect %sstats.\n\n" >> "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" >> "which controls use of the performance events system by\n" >> - "unprivileged users (without CAP_SYS_ADMIN).\n\n" >> + "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" >> "The current value is %d:\n\n" >> " -1: Allow use of (almost) all events by all users\n" >> " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" >> - ">= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN\n" >> - " Disallow raw tracepoint access by users without CAP_SYS_ADMIN\n" >> - ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n" >> - ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN\n\n" >> + ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" >> + " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" >> + ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" >> + ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" >> "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" >> " kernel.perf_event_paranoid = -1\n" , >> target->system_wide ? "system-wide " : "", >> diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c >> index d707c9624dd9..37a9492edb3e 100644 >> --- a/tools/perf/util/util.c >> +++ b/tools/perf/util/util.c >> @@ -290,6 +290,7 @@ int perf_event_paranoid(void) >> bool perf_event_paranoid_check(int max_level) >> { >> return perf_cap__capable(CAP_SYS_ADMIN) || >> + perf_cap__capable(CAP_PERFMON) || >> perf_event_paranoid() <= max_level; >> } >> >> -- >> 2.24.1 >> >