Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3371176pxu; Mon, 19 Oct 2020 10:21:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw20IyYD4rj3L53bNjr6qMSWYX0wjLejztRX070jRTpHaWB7UmTFhyvqcjkks83F6j1Qumk X-Received: by 2002:a17:906:b1d6:: with SMTP id bv22mr957590ejb.60.1603128072896; Mon, 19 Oct 2020 10:21:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603128072; cv=none; d=google.com; s=arc-20160816; b=ZQCymcUGY11vlNjF3PTQ1iFg+mzn/0jKoMSz7udo6IfgQ0s2iY0NMS7hbWWj0pjuVO tLtqArjANw80zRm6NZwgrA92HvdAxGst5xxWeoEASkiSfoXCscDCPOK4/1m1uXQWEo0z FsqF04r+ASkn8Wqjkd22CfcT+U56iO/VInLHf74aTDx09VirX9nJQ0LqeJhI+52Wzktu BnyFEoI49M0nJuRKMqlvDKwidjeDbXbJ6+egMSbgLZImGVP6FlHCTiFAqoSiRHcvDcGg mDkP71c72SrkjFiyq60uMANhPafomYQZvAhDZV+IPkYMLjowfS+nzSxVtvOxDZ+E4rIU GsRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:organization :references:cc:to:from:subject:ironport-sdr:ironport-sdr; bh=ayB1oO95IKiCVb/srgRGds38k+jRzYVU8BgFqwng1Bk=; b=TObgfR+9lyM/BpE/w/l18nX0rEMtvRRwE7cs/6DK4RM/fAk1LIPjiRtAT7ed8TSw7f h1FhRZwgG7eaF1HIWYhBbXct9rGgxpyBsNzoZyvUjtnzWNhxjXBTdVGuha08L2ijXXrL ODWFVMvda4Q6F09YZythDz0P705bbOQ0bQkpD6O34BOShlZ64zXkQlY9yPF3BkZTgJm9 HOBtbd21y65CHmMyopVgcD4tQ80rF3FfiCtKJrGELR1svT8ZdPP3PcdZ1BH/9KCt+g/2 YS17qryRSjuGbdDv5NlPo4VD4ym+Ac83N3omiVQLjI3e7p2oRIBC7ONJvr+jKCEBV3Xb ErDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s14si236082edr.299.2020.10.19.10.20.50; Mon, 19 Oct 2020 10:21:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730943AbgJSRST (ORCPT + 99 others); Mon, 19 Oct 2020 13:18:19 -0400 Received: from mga04.intel.com ([192.55.52.120]:17145 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729916AbgJSRST (ORCPT ); Mon, 19 Oct 2020 13:18:19 -0400 IronPort-SDR: L8wNw8c3HPslVFpV8BiHrbBUvmK5JP4ehpAfnCQvgGq1jHHpq4SoalOryRXmeqHnaNRg1yf6fX ZfxT3RHk4Cnw== X-IronPort-AV: E=McAfee;i="6000,8403,9779"; a="164453863" X-IronPort-AV: E=Sophos;i="5.77,395,1596524400"; d="scan'208";a="164453863" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Oct 2020 10:18:16 -0700 IronPort-SDR: uURWCD8DH4znlXXNZiR90hDAbHypj8LXyyVXfkclV9hisa5mTBTLY6JiWG8P1PJ3vpT185JDkV gbiuprYQlSow== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,395,1596524400"; d="scan'208";a="320348640" Received: from linux.intel.com ([10.54.29.200]) by orsmga006.jf.intel.com with ESMTP; 19 Oct 2020 10:18:16 -0700 Received: from [10.249.225.38] (abudanko-mobl.ccr.corp.intel.com [10.249.225.38]) by linux.intel.com (Postfix) with ESMTP id 9CC27580127; Mon, 19 Oct 2020 10:18:13 -0700 (PDT) Subject: [PATCH v1 2/2] doc/admin-guide: document creation of CAP_PERFMON privileged shell From: Alexey Budankov To: Arnaldo Carvalho de Melo Cc: Jiri Olsa , Namhyung Kim , Alexander Shishkin , Andi Kleen , Peter Zijlstra , Ingo Molnar , linux-kernel , "linux-security-module@vger.kernel.org" , "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org References: <161a51d3-7cdf-f9ee-c438-42bb7404693e@linux.intel.com> Organization: Intel Corp. Message-ID: <0abda956-de6c-95b1-61e8-49e146501079@linux.intel.com> Date: Mon, 19 Oct 2020 20:18:12 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: <161a51d3-7cdf-f9ee-c438-42bb7404693e@linux.intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Document steps to create CAP_PERFMON privileged shell to unblock Perf tool usage in cases when capabilities can't be assigned to an executable due to limitations of used file system. Suggested-by: Andi Kleen Signed-off-by: Alexey Budankov --- Documentation/admin-guide/perf-security.rst | 68 +++++++++++++++++++-- 1 file changed, 62 insertions(+), 6 deletions(-) diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst index 57a65e27eeb9..904e4eb37f99 100644 --- a/Documentation/admin-guide/perf-security.rst +++ b/Documentation/admin-guide/perf-security.rst @@ -102,11 +102,11 @@ CAP_SYSLOG capability permits reading kernel space memory addresses from Privileged Perf users groups --------------------------------- -Mechanisms of capabilities, privileged capability-dumb files [6]_ and -file system ACLs [10]_ can be used to create dedicated groups of -privileged Perf users who are permitted to execute performance monitoring -and observability without scope limits. The following steps can be -taken to create such groups of privileged Perf users. +Mechanisms of capabilities, privileged capability-dumb files [6]_, +file system ACLs [10]_ and sudo [15]_ utility can be used to create +dedicated groups of privileged Perf users who are permitted to execute +performance monitoring and observability without limits. The following +steps can be taken to create such groups of privileged Perf users. 1. Create perf_users group of privileged Perf users, assign perf_users group to Perf tool executable and limit access to the executable for @@ -136,7 +136,7 @@ taken to create such groups of privileged Perf users. # getcap perf perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep -If the libcap installed doesn't yet support "cap_perfmon", use "38" instead, +If the libcap [16]_ installed doesn't yet support "cap_perfmon", use "38" instead, i.e.: :: @@ -162,6 +162,60 @@ performance monitoring and observability by using functionality of the configured Perf tool executable that, when executes, passes perf_events subsystem scope checks. +In case Perf tool executable can't be assigned required capabilities (e.g. +file system is mounted with nosuid option or extended attributes are +not supported by the file system) then creation of the capabilities +privileged environment, naturally shell, is possible. The shell provides +inherent processes with CAP_PERFMON and other required capabilities so that +performance monitoring and observability operations are available in the +environment without limits. Access to the environment can be open via sudo +utility for members of perf_users group only. In order to create such +environment: + +1. Create shell script that uses capsh utility [16]_ to assign CAP_PERFMON + and other required capabilities into ambient capability set of the shell + process, lock the process security bits after enabling SECBIT_NO_SETUID_FIXUP, + SECBIT_NOROOT and SECBIT_NO_CAP_AMBIENT_RAISE bits and then change + the process identity to sudo caller of the script who should essentially + be a member of perf_users group: + +:: + + # ls -alh /usr/local/bin/perf.shell + -rwxr-xr-x. 1 root root 83 Oct 13 23:57 /usr/local/bin/perf.shell + # cat /usr/local/bin/perf.shell + exec /usr/sbin/capsh --iab=^cap_perfmon --secbits=239 --user=$SUDO_USER -- -l + +2. Extend sudo policy at /etc/sudoers file with a rule for perf_users group: + +:: + + # grep perf_users /etc/sudoers + %perf_users ALL=/usr/local/bin/perf.shell + +3. Check that members of perf_users group have access to the privileged + shell and have CAP_PERFMON and other required capabilities enabled + in permitted, effective and ambient capability sets of an inherent process: + +:: + + $ id + uid=1003(capsh_test) gid=1004(capsh_test) groups=1004(capsh_test),1000(perf_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + $ sudo perf.shell + [sudo] password for capsh_test: + $ grep Cap /proc/self/status + CapInh: 0000004000000000 + CapPrm: 0000004000000000 + CapEff: 0000004000000000 + CapBnd: 000000ffffffffff + CapAmb: 0000004000000000 + $ capsh --decode=0000004000000000 + 0x0000004000000000=cap_perfmon + +As a result, members of perf_users group have access to the privileged +environment where they can use tools employing performance monitoring APIs +governed by CAP_PERFMON Linux capability. + This specific access control management is only available to superuser or root running processes with CAP_SETPCAP, CAP_SETFCAP [6]_ capabilities. @@ -267,3 +321,5 @@ Bibliography .. [12] ``_ .. [13] ``_ .. [14] ``_ +.. [15] ``_ +.. [16] ``_ -- 2.24.1