| Message ID | 7459371d-2ec8-4700-13b6-09b73998cc7c@linux.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | perf: make Perf tool aware of SELinux access control | expand |
Em Wed, Apr 22, 2020 at 05:45:34PM +0300, Alexey Budankov escreveu: > > Implement SELinux sysfs check to see if the system is in enforcing > mode and print warning message with pointers to check audit logs. > > Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> > --- > tools/perf/util/cloexec.c | 4 ++-- > tools/perf/util/evsel.c | 40 +++++++++++++++++++++++---------------- > 2 files changed, 26 insertions(+), 18 deletions(-) > > diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c > index a12872f2856a..9c8ec816261b 100644 > --- a/tools/perf/util/cloexec.c > +++ b/tools/perf/util/cloexec.c > @@ -65,7 +65,7 @@ static int perf_flag_probe(void) > return 1; > } > > - WARN_ONCE(err != EINVAL && err != EBUSY, > + WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES, > "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error %d (%s)\n", > err, str_error_r(err, sbuf, sizeof(sbuf))); > > @@ -83,7 +83,7 @@ static int perf_flag_probe(void) > if (fd >= 0) > close(fd); > > - if (WARN_ONCE(fd < 0 && err != EBUSY, > + if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES, > "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", > err, str_error_r(err, sbuf, sizeof(sbuf)))) > return -1; > diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c > index 9fa92649adb4..82492ca12405 100644 > --- a/tools/perf/util/evsel.c > +++ b/tools/perf/util/evsel.c > @@ -2514,32 +2514,40 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, > int err, char *msg, size_t size) > { > char sbuf[STRERR_BUFSIZE]; > - int printed = 0; > + int printed = 0, enforced = 0; > > switch (err) { > case EPERM: > case EACCES: > + printed += scnprintf(msg + printed, size - printed, > + "Access to performance monitoring and observability operations is limited.\n"); > + > + if (!sysfs__read_int("fs/selinux/enforce", &enforced)) { > + if (enforced) { > + printed += scnprintf(msg + printed, size - printed, > + "Enforced MAC policy settings (SELinux) can limit access to performance\n" > + "monitoring and observability operations. Inspect system audit records for\n" > + "more perf_event access control information and adjusting the policy.\n"); > + } > + } > + > if (err == EPERM) > - printed = scnprintf(msg, size, > - "No permission to enable %s event.\n\n", > + printed += scnprintf(msg, size, > + "No permission to enable %s event.\n", > perf_evsel__name(evsel)); This removal of a newline doesn't seem necessary to this patch. > return scnprintf(msg + printed, size - printed, > - "You may not have permission to collect %sstats.\n\n" > - "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" > - "which controls use of the performance events system by\n" > - "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" > - "The current value is %d:\n\n" > + "Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open\n" > + "access to performance monitoring and observability operations for users\n" > + "without CAP_PERFMON capability. perf_event_paranoid setting is %d:\n" Here we need as well to check if the kernel/libcap supports CAP_PERFMON to provide a better error message. > " -1: Allow use of (almost) all events by all users\n" > " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" > - ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" > - " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" > - ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" > - ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" > - "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" > - " kernel.perf_event_paranoid = -1\n" , > - target->system_wide ? "system-wide " : "", > - perf_event_paranoid()); > + ">= 0: Disallow raw and ftrace function tracepoint access\n" > + ">= 1: Disallow CPU event access\n" > + ">= 2: Disallow kernel profiling\n" > + "To make the adjusted perf_event_paranoid setting permanent preserve it\n" > + "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)", > + perf_event_paranoid()); > case ENOENT: > return scnprintf(msg, size, "The %s event is not supported.", > perf_evsel__name(evsel)); > -- > 2.24.1 > >
On 23.04.2020 16:27, Arnaldo Carvalho de Melo wrote: > Em Wed, Apr 22, 2020 at 05:45:34PM +0300, Alexey Budankov escreveu: >> >> Implement SELinux sysfs check to see if the system is in enforcing >> mode and print warning message with pointers to check audit logs. >> >> Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> >> --- >> tools/perf/util/cloexec.c | 4 ++-- >> tools/perf/util/evsel.c | 40 +++++++++++++++++++++++---------------- >> 2 files changed, 26 insertions(+), 18 deletions(-) >> >> diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c >> index a12872f2856a..9c8ec816261b 100644 >> --- a/tools/perf/util/cloexec.c >> +++ b/tools/perf/util/cloexec.c >> @@ -65,7 +65,7 @@ static int perf_flag_probe(void) >> return 1; >> } >> >> - WARN_ONCE(err != EINVAL && err != EBUSY, >> + WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES, >> "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error %d (%s)\n", >> err, str_error_r(err, sbuf, sizeof(sbuf))); >> >> @@ -83,7 +83,7 @@ static int perf_flag_probe(void) >> if (fd >= 0) >> close(fd); >> >> - if (WARN_ONCE(fd < 0 && err != EBUSY, >> + if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES, >> "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", >> err, str_error_r(err, sbuf, sizeof(sbuf)))) >> return -1; >> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c >> index 9fa92649adb4..82492ca12405 100644 >> --- a/tools/perf/util/evsel.c >> +++ b/tools/perf/util/evsel.c >> @@ -2514,32 +2514,40 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, >> int err, char *msg, size_t size) >> { >> char sbuf[STRERR_BUFSIZE]; >> - int printed = 0; >> + int printed = 0, enforced = 0; >> >> switch (err) { >> case EPERM: >> case EACCES: >> + printed += scnprintf(msg + printed, size - printed, >> + "Access to performance monitoring and observability operations is limited.\n"); >> + >> + if (!sysfs__read_int("fs/selinux/enforce", &enforced)) { >> + if (enforced) { >> + printed += scnprintf(msg + printed, size - printed, >> + "Enforced MAC policy settings (SELinux) can limit access to performance\n" >> + "monitoring and observability operations. Inspect system audit records for\n" >> + "more perf_event access control information and adjusting the policy.\n"); >> + } >> + } >> + >> if (err == EPERM) >> - printed = scnprintf(msg, size, >> - "No permission to enable %s event.\n\n", >> + printed += scnprintf(msg, size, >> + "No permission to enable %s event.\n", >> perf_evsel__name(evsel)); > > This removal of a newline doesn't seem necessary to this patch. There will be break in the middle of the message then, but ok. > >> return scnprintf(msg + printed, size - printed, >> - "You may not have permission to collect %sstats.\n\n" >> - "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" >> - "which controls use of the performance events system by\n" >> - "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" >> - "The current value is %d:\n\n" >> + "Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open\n" >> + "access to performance monitoring and observability operations for users\n" >> + "without CAP_PERFMON capability. perf_event_paranoid setting is %d:\n" > > Here we need as well to check if the kernel/libcap supports CAP_PERFMON > to provide a better error message. I will change change "CAP_PERFMON" to "CAP_PERFMON or CAP_SYS_ADMIN" in the new message. > >> " -1: Allow use of (almost) all events by all users\n" >> " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" >> - ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" >> - " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" >> - ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" >> - ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" >> - "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" >> - " kernel.perf_event_paranoid = -1\n" , >> - target->system_wide ? "system-wide " : "", >> - perf_event_paranoid()); >> + ">= 0: Disallow raw and ftrace function tracepoint access\n" >> + ">= 1: Disallow CPU event access\n" >> + ">= 2: Disallow kernel profiling\n" >> + "To make the adjusted perf_event_paranoid setting permanent preserve it\n" >> + "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)", >> + perf_event_paranoid()); >> case ENOENT: >> return scnprintf(msg, size, "The %s event is not supported.", >> perf_evsel__name(evsel)); Thanks, Alexey
diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c index a12872f2856a..9c8ec816261b 100644 --- a/tools/perf/util/cloexec.c +++ b/tools/perf/util/cloexec.c @@ -65,7 +65,7 @@ static int perf_flag_probe(void) return 1; } - WARN_ONCE(err != EINVAL && err != EBUSY, + WARN_ONCE(err != EINVAL && err != EBUSY && err != EACCES, "perf_event_open(..., PERF_FLAG_FD_CLOEXEC) failed with unexpected error %d (%s)\n", err, str_error_r(err, sbuf, sizeof(sbuf))); @@ -83,7 +83,7 @@ static int perf_flag_probe(void) if (fd >= 0) close(fd); - if (WARN_ONCE(fd < 0 && err != EBUSY, + if (WARN_ONCE(fd < 0 && err != EBUSY && err != EACCES, "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", err, str_error_r(err, sbuf, sizeof(sbuf)))) return -1; diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index 9fa92649adb4..82492ca12405 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -2514,32 +2514,40 @@ int perf_evsel__open_strerror(struct evsel *evsel, struct target *target, int err, char *msg, size_t size) { char sbuf[STRERR_BUFSIZE]; - int printed = 0; + int printed = 0, enforced = 0; switch (err) { case EPERM: case EACCES: + printed += scnprintf(msg + printed, size - printed, + "Access to performance monitoring and observability operations is limited.\n"); + + if (!sysfs__read_int("fs/selinux/enforce", &enforced)) { + if (enforced) { + printed += scnprintf(msg + printed, size - printed, + "Enforced MAC policy settings (SELinux) can limit access to performance\n" + "monitoring and observability operations. Inspect system audit records for\n" + "more perf_event access control information and adjusting the policy.\n"); + } + } + if (err == EPERM) - printed = scnprintf(msg, size, - "No permission to enable %s event.\n\n", + printed += scnprintf(msg, size, + "No permission to enable %s event.\n", perf_evsel__name(evsel)); return scnprintf(msg + printed, size - printed, - "You may not have permission to collect %sstats.\n\n" - "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" - "which controls use of the performance events system by\n" - "unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).\n\n" - "The current value is %d:\n\n" + "Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open\n" + "access to performance monitoring and observability operations for users\n" + "without CAP_PERFMON capability. perf_event_paranoid setting is %d:\n" " -1: Allow use of (almost) all events by all users\n" " Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK\n" - ">= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN\n" - " Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN\n" - ">= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN\n" - ">= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN\n\n" - "To make this setting permanent, edit /etc/sysctl.conf too, e.g.:\n\n" - " kernel.perf_event_paranoid = -1\n" , - target->system_wide ? "system-wide " : "", - perf_event_paranoid()); + ">= 0: Disallow raw and ftrace function tracepoint access\n" + ">= 1: Disallow CPU event access\n" + ">= 2: Disallow kernel profiling\n" + "To make the adjusted perf_event_paranoid setting permanent preserve it\n" + "in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)", + perf_event_paranoid()); case ENOENT: return scnprintf(msg, size, "The %s event is not supported.", perf_evsel__name(evsel));
Implement SELinux sysfs check to see if the system is in enforcing mode and print warning message with pointers to check audit logs. Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> --- tools/perf/util/cloexec.c | 4 ++-- tools/perf/util/evsel.c | 40 +++++++++++++++++++++++---------------- 2 files changed, 26 insertions(+), 18 deletions(-)