| Message ID | 819338ce-d160-4a2f-f1aa-d756a2e7c6fc@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | perf: make Perf tool aware of SELinux access control | expand |
Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu: > > Implement selinux sysfs check to see the system is in enforcing > mode and print warning message with pointer to check audit logs. There were some changes in this area meanwhile, so I had to apply the evsel.c by hand, when I push this please double check everything is ok, - Arnaldo > Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> > --- > tools/perf/util/cloexec.c | 4 ++-- > tools/perf/util/evsel.c | 39 ++++++++++++++++++++++++--------------- > 2 files changed, 26 insertions(+), 17 deletions(-) > > diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c > index a12872f2856a..9c8ec816261b 100644 > --- a/tools/perf/util/cloexec.c > +++ b/tools/perf/util/cloexec.c > @@ -65,7 +65,7 @@ static int perf_flag_probe(void) > return 1; > } > > - WARN_ONCE(err != EINVAL && err != EBUSY, > + WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES, > "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error %d (%s)\n", > err, str_error_r(err, sbuf, sizeof(sbuf))); > > @@ -83,7 +83,7 @@ static int perf_flag_probe(void) > if (fd >= 0) > close(fd); > > - if (WARN_ONCE(fd < 0 && err != EBUSY, > + if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES, > "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", > err, str_error_r(err, sbuf, sizeof(sbuf)))) > return -1; > diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c > index 9fa92649adb4..bf437c059c2b 100644 > --- a/tools/perf/util/evsel.c > +++ b/tools/perf/util/evsel.c > @@ -2514,32 +2514,41 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, > int err, char *msg, size_t size) > { > char sbuf[STRERR_BUFSIZE]; > - int printed = 0; > + int printed = 0, enforced = 0; > > switch (err) { > case EPERM: > case EACCES: > + printed += scnprintf(msg + printed, size - printed, > + "Access to performance monitoring and observability operations is limited.\n"); > + > + if (!sysfs__read_int("fs/selinux/enforce", &enforced)) { > + if (enforced) { > + printed += scnprintf(msg + printed, size - printed, > + "Enforced MAC policy settings (SELinux) can limit access to performance\n" > + "monitoring and observability operations. Inspect system audit records for\n" > + "more perf_event access control information and adjusting the policy.\n"); > + } > + } > + > if (err == EPERM) > - printed = scnprintf(msg, size, > + printed += scnprintf(msg, size, > "No permission to enable %s event.\n\n", > perf_evsel__name(evsel)); > > return scnprintf(msg + printed, size - printed, > - "You may not have permission to collect %sstats.\n\n" > - "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" > - "which controls use of the performance events system by\n" > - "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" > - "The current value is %d:\n\n" > + "Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open\n" > + "access to performance monitoring and observability operations for users\n" > + "without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.\n" > + "perf_event_paranoid setting is %d:\n" > " -1: Allow use of (almost) all events by all users\n" > " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" > - ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" > - " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" > - ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" > - ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" > - "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" > - " kernel.perf_event_paranoid = -1\n" , > - target->system_wide ? "system-wide " : "", > - perf_event_paranoid()); > + ">= 0: Disallow raw and ftrace function tracepoint access\n" > + ">= 1: Disallow CPU event access\n" > + ">= 2: Disallow kernel profiling\n" > + "To make the adjusted perf_event_paranoid setting permanent preserve it\n" > + "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)", > + perf_event_paranoid()); > case ENOENT: > return scnprintf(msg, size, "The %s event is not supported.", > perf_evsel__name(evsel)); > -- > 2.24.1 > >
On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote: > Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu: >> >> Implement selinux sysfs check to see the system is in enforcing >> mode and print warning message with pointer to check audit logs. > > There were some changes in this area meanwhile, so I had to apply the > evsel.c by hand, when I push this please double check everything is ok, Will do. I appreciate your integrating effort. Thanks, Alexey
On 18.05.2020 19:43, Alexey Budankov wrote: > > On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote: >> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu: >>> >>> Implement selinux sysfs check to see the system is in enforcing >>> mode and print warning message with pointer to check audit logs. >> >> There were some changes in this area meanwhile, so I had to apply the >> evsel.c by hand, when I push this please double check everything is ok, > > Will do. I appreciate your integrating effort. Checked at tmp.perf/core branch. The message looks like this: [root@nntvtune39 acme.tmp]# tools/perf/perf stat Error: Access to performance monitoring and observability operations is limited. Enforced MAC policy settings (SELinux) can limit access to performance monitoring and observability operations. Inspect system audit records for more perf_event access control information and adjusting the policy. Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open access to performance monitoring and observability operations for users without CAP_PERFMON or CAP_SYS_ADMIN Linux capability. perf_event_paranoid setting is 2: -1: Allow use of (almost) all events by all users Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK >= 0: Disallow raw and ftrace function tracepoint access >= 1: Disallow CPU event access >= 2: Disallow kernel profiling To make the adjusted perf_event_paranoid setting permanent preserve it in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) Edited patch at security.txt didn't apply cleanly. It requires white space prior tab in the first block for wake_alarm etc till perfmon: ---8<--- diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300 +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300 @@ -174,6 +174,7 @@ wake_alarm block_suspend audit_read + perfmon } # @@ -1099,3 +1100,15 @@ class xdp_socket inherits socket + +class perf_event +{ + open + cpu + kernel + tracepoint + read + write +} + + diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300 +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300 @@ -200,4 +200,6 @@ class xdp_socket +class perf_event + # FLASK ---8<--- ~Alexey
Em Tue, May 19, 2020 at 10:34:18AM +0300, Alexey Budankov escreveu: > > On 18.05.2020 19:43, Alexey Budankov wrote: > > > > On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote: > >> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu: > >>> > >>> Implement selinux sysfs check to see the system is in enforcing > >>> mode and print warning message with pointer to check audit logs. > >> > >> There were some changes in this area meanwhile, so I had to apply the > >> evsel.c by hand, when I push this please double check everything is ok, > > > > Will do. I appreciate your integrating effort. > > Checked at tmp.perf/core branch. The message looks like this: > > [root@nntvtune39 acme.tmp]# tools/perf/perf stat > Error: > Access to performance monitoring and observability operations is limited. > Enforced MAC policy settings (SELinux) can limit access to performance > monitoring and observability operations. Inspect system audit records for > more perf_event access control information and adjusting the policy. > Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open > access to performance monitoring and observability operations for users > without CAP_PERFMON or CAP_SYS_ADMIN Linux capability. > perf_event_paranoid setting is 2: > -1: Allow use of (almost) all events by all users > Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK > >= 0: Disallow raw and ftrace function tracepoint access > >= 1: Disallow CPU event access > >= 2: Disallow kernel profiling > To make the adjusted perf_event_paranoid setting permanent preserve it > in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) > > Edited patch at security.txt didn't apply cleanly. It requires white space > prior tab in the first block for wake_alarm etc till perfmon: I see, I'll leave it there then so that it applies cleanly to those policy files. > ---8<--- > diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors > --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300 > +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300 > @@ -174,6 +174,7 @@ > wake_alarm > block_suspend > audit_read > + perfmon > } > > # > @@ -1099,3 +1100,15 @@ > > class xdp_socket > inherits socket > + > +class perf_event > +{ > + open > + cpu > + kernel > + tracepoint > + read > + write > +} > + > + > diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes > --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300 > +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300 > @@ -200,4 +200,6 @@ > > class xdp_socket > > +class perf_event > + > # FLASK > > ---8<--- > > ~Alexey
diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c index a12872f2856a..9c8ec816261b 100644 --- a/tools/perf/util/cloexec.c +++ b/tools/perf/util/cloexec.c @@ -65,7 +65,7 @@ static int perf_flag_probe(void) return 1; } - WARN_ONCE(err != EINVAL && err != EBUSY, + WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES, "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error %d (%s)\n", err, str_error_r(err, sbuf, sizeof(sbuf))); @@ -83,7 +83,7 @@ static int perf_flag_probe(void) if (fd >= 0) close(fd); - if (WARN_ONCE(fd < 0 && err != EBUSY, + if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES, "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", err, str_error_r(err, sbuf, sizeof(sbuf)))) return -1; diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index 9fa92649adb4..bf437c059c2b 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -2514,32 +2514,41 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, int err, char *msg, size_t size) { char sbuf[STRERR_BUFSIZE]; - int printed = 0; + int printed = 0, enforced = 0; switch (err) { case EPERM: case EACCES: + printed += scnprintf(msg + printed, size - printed, + "Access to performance monitoring and observability operations is limited.\n"); + + if (!sysfs__read_int("fs/selinux/enforce", &enforced)) { + if (enforced) { + printed += scnprintf(msg + printed, size - printed, + "Enforced MAC policy settings (SELinux) can limit access to performance\n" + "monitoring and observability operations. Inspect system audit records for\n" + "more perf_event access control information and adjusting the policy.\n"); + } + } + if (err == EPERM) - printed = scnprintf(msg, size, + printed += scnprintf(msg, size, "No permission to enable %s event.\n\n", perf_evsel__name(evsel)); return scnprintf(msg + printed, size - printed, - "You may not have permission to collect %sstats.\n\n" - "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" - "which controls use of the performance events system by\n" - "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" - "The current value is %d:\n\n" + "Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open\n" + "access to performance monitoring and observability operations for users\n" + "without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.\n" + "perf_event_paranoid setting is %d:\n" " -1: Allow use of (almost) all events by all users\n" " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" - ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" - " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" - ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" - ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" - "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" - " kernel.perf_event_paranoid = -1\n" , - target->system_wide ? "system-wide " : "", - perf_event_paranoid()); + ">= 0: Disallow raw and ftrace function tracepoint access\n" + ">= 1: Disallow CPU event access\n" + ">= 2: Disallow kernel profiling\n" + "To make the adjusted perf_event_paranoid setting permanent preserve it\n" + "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)", + perf_event_paranoid()); case ENOENT: return scnprintf(msg, size, "The %s event is not supported.", perf_evsel__name(evsel));
Implement selinux sysfs check to see the system is in enforcing mode and print warning message with pointer to check audit logs. Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> --- tools/perf/util/cloexec.c | 4 ++-- tools/perf/util/evsel.c | 39 ++++++++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 17 deletions(-)