From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BD9CC43441 for ; Tue, 27 Nov 2018 08:15:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7A05208E4 for ; Tue, 27 Nov 2018 08:15:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D7A05208E4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729064AbeK0TMr (ORCPT ); Tue, 27 Nov 2018 14:12:47 -0500 Received: from mga17.intel.com ([192.55.52.151]:24974 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727329AbeK0TMr (ORCPT ); Tue, 27 Nov 2018 14:12:47 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Nov 2018 00:15:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,286,1539673200"; d="scan'208";a="90202367" Received: from linux.intel.com ([10.54.29.200]) by fmsmga007.fm.intel.com with ESMTP; 27 Nov 2018 00:15:42 -0800 Received: from [10.125.251.223] (abudanko-mobl.ccr.corp.intel.com [10.125.251.223]) by linux.intel.com (Postfix) with ESMTP id 2F7845803C2; Tue, 27 Nov 2018 00:15:37 -0800 (PST) Subject: [PATCH v4 1/2] Documentation/admin-guide: introduce perf-security.rst file From: Alexey Budankov To: Jonatan Corbet , Thomas Gleixner , Kees Cook , Jann Horn , Ingo Molnar , Peter Zijlstra , Andi Kleen Cc: Alexander Shishkin , Jiri Olsa , Arnaldo Carvalho de Melo , Mark Rutland , Tvrtko Ursulin , linux-kernel , "kernel-hardening@lists.openwall.com" , "linux-doc@vger.kernel.org" References: Organization: Intel Corp. Message-ID: Date: Tue, 27 Nov 2018 11:15:37 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Implement initial version of perf-security.rst documentation file covering security concerns of perf_event_paranoid settings. Suggested-by: Thomas Gleixner Signed-off-by: Alexey Budankov --- Changes in v4: - added docs for perf_event related capabilities Changes in v3: - toning down of the markup for "scope, access and resource" - adding definite article for "Linux implementation" Changes in v2: - reverted patches order in the set to avoid CI issue - replaced old PCL referencing by PE (Perf Events) - skipped >=3 setting documentation at the moment --- Documentation/admin-guide/perf-security.rst | 97 +++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 Documentation/admin-guide/perf-security.rst diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst new file mode 100644 index 000000000000..f73ebfe9bfe2 --- /dev/null +++ b/Documentation/admin-guide/perf-security.rst @@ -0,0 +1,97 @@ +.. _perf_security: + +Perf Events and tool security +============================= + +Overview +-------- + +Usage of Performance Counters for Linux (perf_events) [1]_ , [2]_ , [3]_ can +impose a considerable risk of leaking sensitive data accessed by monitored +processes. The data leakage is possible both in scenarios of direct usage of +perf_events system call API [2]_ and over data files generated by Perf tool user +mode utility (Perf) [3]_ , [4]_ . The risk depends on the nature of data that +perf_events performance monitoring units (PMU) [2]_ collect and expose for +performance analysis. Having that said perf_events/Perf performance monitoring +is the subject for security access control management [5]_ . + +perf_events/Perf access control +------------------------------- + +To perform security checks, the Linux implementation splits processes into two +categories [6]_ : a) privileged processes (whose effective user ID is 0, referred +to as superuser or root), and b) unprivileged processes (whose effective UID is +nonzero). Privileged processes bypass all kernel security permission checks so +perf_events performance monitoring is fully available to privileged processes +without access, scope and resource restrictions. + +Unprivileged processes are subject to a full security permission check based on +the process's credentials [5]_ (usually: effective UID, effective GID, and +supplementary group list). + +Linux divides the privileges traditionally associated with superuser into +distinct units, known as capabilities [6]_ , which can be independently enabled +and disabled on per-thread basis for processes and files of unprivileged users. + +Unprivileged processes with enabled CAP_SYS_ADMIN capability are treated as +privileged processes with respect to perf_events performance monitoring and +bypass *scope* permissions checks in the kernel. + +Unprivileged processes using perf_events system call API is also subject for +PTRACE_MODE_READ_REALCREDS ptrace access mode check [7]_ , whose outcome +determines whether monitoring is permitted. So unprivileged processes provided +with CAP_SYS_PTRACE capability are effectively permitted to pass the check. + +Other capabilities being granted to unprivileged processes can effectively +enable capturing of additional data required for later performance analysis of +monitored processes or a system. For example, CAP_SYSLOG capability permits +reading kernel space memory addresses from /proc/kallsyms file. + +perf_events/Perf unprivileged users +----------------------------------- + +perf_events/Perf *scope* and *access* control for unprivileged processes is +governed by perf_event_paranoid [2]_ setting: + +-1: + Impose no *scope* and *access* restrictions on using perf_events performance + monitoring. Per-user per-cpu perf_event_mlock_kb [2]_ locking limit is + ignored when allocating memory buffers for storing performance data. + This is the least secure mode since allowed monitored *scope* is + maximized and no perf_events specific limits are imposed on *resources* + allocated for performance monitoring. + +>=0: + *scope* includes per-process and system wide performance monitoring + but excludes raw tracepoints and ftrace function tracepoints monitoring. + CPU and system events happened when executing either in user or + in kernel space can be monitored and captured for later analysis. + Per-user per-cpu perf_event_mlock_kb locking limit is imposed but + ignored for unprivileged processes with CAP_IPC_LOCK [6]_ capability. + +>=1: + *scope* includes per-process performance monitoring only and excludes + system wide performance monitoring. CPU and system events happened when + executing either in user or in kernel space can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +>=2: + *scope* includes per-process performance monitoring only. CPU and system + events happened when executing in user space only can be monitored and + captured for later analysis. Per-user per-cpu perf_event_mlock_kb + locking limit is imposed but ignored for unprivileged processes with + CAP_IPC_LOCK capability. + +Bibliography +------------ + +.. [1] ``_ +.. [2] ``_ +.. [3] ``_ +.. [4] ``_ +.. [5] ``_ +.. [6] ``_ +.. [7] ``_ +