[v2,2/4] support perf_event_paranoid=3

Message ID	20220615122711.9895-2-cgzones@googlemail.com (mailing list archive)
State	Superseded
Delegated to:	Ondrej Mosnáček
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [PATCH v2 2/4] support perf_event_paranoid=3 Date: Wed, 15 Jun 2022 14:27:09 +0200 Message-Id: <20220615122711.9895-2-cgzones@googlemail.com> In-Reply-To: <20220615122711.9895-1-cgzones@googlemail.com> References: <20220614102029.13006-1-cgzones@googlemail.com> <20220615122711.9895-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v2,1/4] support Dash as default shell \| expand [v2,1/4] support Dash as default shell [v2,2/4] support perf_event_paranoid=3 [v2,3/4] filesystem: allow getfilecon(3) to pass test [v2,4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set

Message ID

20220615122711.9895-2-cgzones@googlemail.com (mailing list archive)

State

Superseded

Delegated to:

Ondrej Mosnáček

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH v2 2/4] support perf_event_paranoid=3
Date: Wed, 15 Jun 2022 14:27:09 +0200
Message-Id: <20220615122711.9895-2-cgzones@googlemail.com>
In-Reply-To: <20220615122711.9895-1-cgzones@googlemail.com>
References: <20220614102029.13006-1-cgzones@googlemail.com>
 <20220615122711.9895-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v2,1/4] support Dash as default shell | expand

Commit Message

Christian Göttsche June 15, 2022, 12:27 p.m. UTC

Debian uses a downstream patch[1] to allow further restriction of
perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2)
operations.

Set the parameter to a value of 2 during the tests and reset afterwards.

[1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
   set parameter to 2 instead of granting CAP_SYS_ADMIN
---
 tests/perf_event/test | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/tests/perf_event/test b/tests/perf_event/test
index c336477..cc1247b 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -32,12 +32,18 @@  BEGIN {
             print "\tNot paranoid\n";
         }
         elsif ( $level eq 0 ) {
-            print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n";
+            print
+"\tDisallow raw tracepoint/ftrace without CAP_PERFMON or CAP_SYS_ADMIN\n";
         }
         elsif ( $level eq 1 ) {
-            print "\tDisallow CPU event access without CAP_SYS_ADMIN\n";
+            print
+"\tDisallow CPU event access without CAP_PERFMON or CAP_SYS_ADMIN\n";
         }
         elsif ( $level eq 2 ) {
+            print
+"\tDisallow kernel profiling without CAP_PERFMON or CAP_SYS_ADMIN\n";
+        }
+        elsif ( $level eq 3 ) {
             print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n";
         }
         else {
@@ -48,6 +54,11 @@  BEGIN {
     plan tests => $test_count;
 }
 
+# Downgrade to only require CAP_PERFMON for operations
+if ( $level eq 3 ) {
+    system("echo 2 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
 # find some CPU that is online
 for ( $cpu = 0 ; -e "/sys/devices/system/cpu/cpu$cpu" ; $cpu++ ) {
 
@@ -114,4 +125,9 @@  $result =
   "runcon -t test_perf_no_write_t $basedir/perf_event $v $cpu $event_id 2>&1";
 ok( $result >> 8 eq 2 );
 
+# Reset if downgraded
+if ( $level eq 3 ) {
+    system("echo 3 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
 exit;

[v2,2/4] support perf_event_paranoid=3

Commit Message

Patch