From: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
To: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Andi Kleen <ak@linux.intel.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control
Date: Tue, 19 May 2020 15:10:13 -0300 [thread overview]
Message-ID: <20200519181013.GA28228@kernel.org> (raw)
In-Reply-To: <74f8d079-39ef-756e-7e43-ba4c897fd441@linux.intel.com>
Em Tue, May 19, 2020 at 10:34:18AM +0300, Alexey Budankov escreveu:
>
> On 18.05.2020 19:43, Alexey Budankov wrote:
> >
> > On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote:
> >> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu:
> >>>
> >>> Implement selinux sysfs check to see the system is in enforcing
> >>> mode and print warning message with pointer to check audit logs.
> >>
> >> There were some changes in this area meanwhile, so I had to apply the
> >> evsel.c by hand, when I push this please double check everything is ok,
> >
> > Will do. I appreciate your integrating effort.
>
> Checked at tmp.perf/core branch. The message looks like this:
>
> [root@nntvtune39 acme.tmp]# tools/perf/perf stat
> Error:
> Access to performance monitoring and observability operations is limited.
> Enforced MAC policy settings (SELinux) can limit access to performance
> monitoring and observability operations. Inspect system audit records for
> more perf_event access control information and adjusting the policy.
> Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
> access to performance monitoring and observability operations for users
> without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
> perf_event_paranoid setting is 2:
> -1: Allow use of (almost) all events by all users
> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> >= 0: Disallow raw and ftrace function tracepoint access
> >= 1: Disallow CPU event access
> >= 2: Disallow kernel profiling
> To make the adjusted perf_event_paranoid setting permanent preserve it
> in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
>
> Edited patch at security.txt didn't apply cleanly. It requires white space
> prior tab in the first block for wake_alarm etc till perfmon:
I see, I'll leave it there then so that it applies cleanly to those
policy files.
> ---8<---
> diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
> --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
> @@ -174,6 +174,7 @@
> wake_alarm
> block_suspend
> audit_read
> + perfmon
> }
>
> #
> @@ -1099,3 +1100,15 @@
>
> class xdp_socket
> inherits socket
> +
> +class perf_event
> +{
> + open
> + cpu
> + kernel
> + tracepoint
> + read
> + write
> +}
> +
> +
> diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
> --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
> @@ -200,4 +200,6 @@
>
> class xdp_socket
>
> +class perf_event
> +
> # FLASK
>
> ---8<---
>
> ~Alexey
--
- Arnaldo
next prev parent reply other threads:[~2020-05-19 18:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-30 7:06 [PATCH v3 0/3] perf: make Perf tool aware of SELinux access control Alexey Budankov
2020-04-30 7:15 ` [PATCH v3 1/3] perf docs: extend CAP_SYS_ADMIN with CAP_PERFMON where needed Alexey Budankov
2020-04-30 7:15 ` [PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control Alexey Budankov
2020-05-18 15:58 ` Arnaldo Carvalho de Melo
2020-05-18 16:43 ` Alexey Budankov
2020-05-19 7:34 ` Alexey Budankov
2020-05-19 18:10 ` Arnaldo Carvalho de Melo [this message]
2020-04-30 7:16 ` [PATCH v3 3/3] perf docs: introduce security.txt file to document related issues Alexey Budankov
2020-05-18 15:59 ` Arnaldo Carvalho de Melo
2020-05-18 16:50 ` Alexey Budankov
2020-05-18 17:06 ` Arnaldo Carvalho de Melo
2020-05-18 8:07 ` [PATCH v3 0/3] perf: make Perf tool aware of SELinux access control Alexey Budankov
-- strict thread matches above, loose matches on Subject: below --
2020-04-24 6:45 Alexey Budankov
2020-04-24 6:50 ` [PATCH v3 2/3] perf tool: " Alexey Budankov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519181013.GA28228@kernel.org \
--to=arnaldo.melo@gmail.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=alexey.budankov@linux.intel.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox