From: Peter Zijlstra <peterz@infradead.org>
To: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Cc: linux-kernel@vger.kernel.org, rostedt@goodmis.org,
primiano@google.com, rsavitski@google.com, jeffv@google.com,
kernel-team@android.com, James Morris <jmorris@namei.org>,
Alexei Starovoitov <ast@kernel.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
bpf@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Ingo Molnar <mingo@redhat.com>, Jiri Olsa <jolsa@redhat.com>,
Kees Cook <keescook@chromium.org>,
linux-security-module@vger.kernel.org,
Matthew Garrett <matthewgarrett@google.com>,
Namhyung Kim <namhyung@kernel.org>,
selinux@vger.kernel.org, Song Liu <songliubraving@fb.com>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>, Yonghong Song <yhs@fb.com>
Subject: Re: [PATCH v2] perf_event: Add support for LSM and SELinux checks
Date: Tue, 15 Oct 2019 10:30:08 +0200 [thread overview]
Message-ID: <20191015083008.GC2311@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20191014170308.70668-1-joel@joelfernandes.org>
On Mon, Oct 14, 2019 at 01:03:08PM -0400, Joel Fernandes (Google) wrote:
> In current mainline, the degree of access to perf_event_open(2) system
> call depends on the perf_event_paranoid sysctl. This has a number of
> limitations:
>
> 1. The sysctl is only a single value. Many types of accesses are controlled
> based on the single value thus making the control very limited and
> coarse grained.
> 2. The sysctl is global, so if the sysctl is changed, then that means
> all processes get access to perf_event_open(2) opening the door to
> security issues.
>
> This patch adds LSM and SELinux access checking which will be used in
> Android to access perf_event_open(2) for the purposes of attaching BPF
> programs to tracepoints, perf profiling and other operations from
> userspace. These operations are intended for production systems.
>
> 5 new LSM hooks are added:
> 1. perf_event_open: This controls access during the perf_event_open(2)
> syscall itself. The hook is called from all the places that the
> perf_event_paranoid sysctl is checked to keep it consistent with the
> systctl. The hook gets passed a 'type' argument which controls CPU,
> kernel and tracepoint accesses (in this context, CPU, kernel and
> tracepoint have the same semantics as the perf_event_paranoid sysctl).
> Additionally, I added an 'open' type which is similar to
> perf_event_paranoid sysctl == 3 patch carried in Android and several other
> distros but was rejected in mainline [1] in 2016.
>
> 2. perf_event_alloc: This allocates a new security object for the event
> which stores the current SID within the event. It will be useful when
> the perf event's FD is passed through IPC to another process which may
> try to read the FD. Appropriate security checks will limit access.
>
> 3. perf_event_free: Called when the event is closed.
>
> 4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
>
> 5. perf_event_write: Called from the ioctl(2) syscalls for the event.
>
> [1] https://lwn.net/Articles/696240/
>
> Since Peter had suggest LSM hooks in 2016 [1], I am adding his
> Suggested-by tag below.
Thanks, I've queued the patch!
> To use this patch, we set the perf_event_paranoid sysctl to -1 and then
> apply selinux checking as appropriate (default deny everything, and then
> add policy rules to give access to domains that need it). In the future
> we can remove the perf_event_paranoid sysctl altogether.
This I'm not sure about; the sysctl is only redundant when you actually
use a security thingy, not everyone is. I always find them things to be
mightily unfriendly.
next prev parent reply other threads:[~2019-10-15 8:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-14 17:03 [PATCH v2] perf_event: Add support for LSM and SELinux checks Joel Fernandes (Google)
2019-10-15 8:30 ` Peter Zijlstra [this message]
2019-10-16 0:20 ` Joel Fernandes
2019-10-15 14:35 ` Stephen Smalley
2019-10-16 0:35 ` Joel Fernandes
2019-10-16 8:10 ` Peter Zijlstra
2019-10-18 12:48 ` [tip: perf/core] " tip-bot2 for Joel Fernandes (Google)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191015083008.GC2311@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=joel@joelfernandes.org \
--cc=jolsa@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=primiano@google.com \
--cc=rostedt@goodmis.org \
--cc=rsavitski@google.com \
--cc=selinux@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.