1 Overview
2 ========
3
4 For general security related questions of perf
5 performance monitoring and observability opera
6 https://www.kernel.org/doc/html/latest/admin-g
7
8 Enabling LSM based mandatory access control (M
9 ==============================================
10
11 LSM hooks for mandatory access control for per
12 used starting from Linux v5.3. Below are the s
13 Targeted policy with perf_event_open() access
14
15 1. Download selinux-policy SRPM package (e.g.
16 and install it so rpmbuild directory would
17
18 # rpm -Uhv selinux-policy-3.14.4-48.fc31.sr
19
20 2. Get into rpmbuild/SPECS directory and unpac
21
22 # rpmbuild -bp selinux-policy.spec
23
24 3. Place patch below at rpmbuild/BUILD/selinux
25 directory and apply it:
26
27 # patch -p1 < selinux-policy-perf-events-pe
28 patching file policy/flask/access_vectors
29 patching file policy/flask/security_classes
30 # cat selinux-policy-perf-events-perfmon.pa
31 diff -Nura a/policy/flask/access_vectors b/pol
32 --- a/policy/flask/access_vectors 2020-0
33 +++ b/policy/flask/access_vectors 2020-0
34 @@ -174,6 +174,7 @@
35 wake_alarm
36 block_suspend
37 audit_read
38 + perfmon
39 }
40
41 #
42 @@ -1099,3 +1100,15 @@
43
44 class xdp_socket
45 inherits socket
46 +
47 +class perf_event
48 +{
49 + open
50 + cpu
51 + kernel
52 + tracepoint
53 + read
54 + write
55 +}
56 +
57 +
58 diff -Nura a/policy/flask/security_classes b/p
59 --- a/policy/flask/security_classes 2020-0
60 +++ b/policy/flask/security_classes 2020-0
61 @@ -200,4 +200,6 @@
62
63 class xdp_socket
64
65 +class perf_event
66 +
67 # FLASK
68
69 4. Get into rpmbuild/SPECS directory and build
70
71 # rpmbuild --noclean --noprep -ba selinux-p
72
73 so you have this:
74
75 # ls -alh rpmbuild/RPMS/noarch/
76 total 33M
77 drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
78 drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 .
79 -rw-r--r--. 1 root root 112K Mar 20 12:16 s
80 -rw-r--r--. 1 root root 1.2M Mar 20 12:17 s
81 -rw-r--r--. 1 root root 2.3M Mar 20 12:17 s
82 -rw-r--r--. 1 root root 12M Mar 20 12:17 s
83 -rw-r--r--. 1 root root 4.5M Mar 20 12:16 s
84 -rw-r--r--. 1 root root 111K Mar 20 12:16 s
85 -rw-r--r--. 1 root root 14M Mar 20 12:17 s
86
87 5. Install SELinux packages from Fedora repo,
88 update with the patched rpms above:
89
90 # rpm -Uhv rpmbuild/RPMS/noarch/selinux-pol
91
92 6. Enable SELinux Permissive mode for Targeted
93
94 # cat /etc/selinux/config
95
96 # This file controls the state of SELinux o
97 # SELINUX= can take one of these three valu
98 # enforcing - SELinux security policy i
99 # permissive - SELinux prints warnings
100 # disabled - No SELinux policy is loade
101 SELINUX=permissive
102 # SELINUXTYPE= can take one of these three
103 # targeted - Targeted processes are pro
104 # minimum - Modification of targeted po
105 # mls - Multi Level Security protection
106 SELINUXTYPE=targeted
107
108 7. Enable filesystem SELinux labeling at the n
109
110 # touch /.autorelabel
111
112 8. Reboot machine and it will label filesystem
113
114 9. Login and check that dmesg output doesn't m
115
116 10. Check that SELinux is enabled and in Permi
117
118 # getenforce
119 Permissive
120
121 11. Turn SELinux into Enforcing mode:
122
123 # setenforce 1
124 # getenforce
125 Enforcing
126
127 Opening access to perf_event_open() syscall on
128 ==============================================
129
130 Access to performance monitoring and observabi
131 can be limited for superuser or CAP_PERFMON or
132 processes. MAC policy settings (e.g. SELinux)
133 and prevent unauthorized access to perf_event_
134 Perf tool provides a message similar to the on
135
136 # perf stat
137 Error:
138 Access to performance monitoring and observ
139 Enforced MAC policy settings (SELinux) can
140 monitoring and observability operations. In
141 more perf_event access control information
142 Consider adjusting /proc/sys/kernel/perf_ev
143 access to performance monitoring and observ
144 without CAP_PERFMON or CAP_SYS_ADMIN Linux
145 perf_event_paranoid setting is -1:
146 -1: Allow use of (almost) all events by a
147 Ignore mlock limit after perf_event_m
148 >= 0: Disallow raw and ftrace function trac
149 >= 1: Disallow CPU event access
150 >= 2: Disallow kernel profiling
151 To make the adjusted perf_event_paranoid se
152 in /etc/sysctl.conf (e.g. kernel.perf_event
153
154 To make sure that access is limited by MAC pol
155 audit records using journalctl command or /var
156 output would contain AVC denied records relate
157
158 # journalctl --reverse --no-pager | grep pe
159
160 python3[1318099]: SELinux is preventing per
161 If yo
162 setroubleshoot[1318099]: SELinux is prevent
163 audit[1318098]: AVC avc: denied { open }
164
165 In order to open access to perf_event_open() s
166 require to be extended. On SELinux system this
167 policy module extending base policy settings.
168 be generated using the system audit records ab
169 Run the command below to generate my-perf.te p
170 perf_event related rules:
171
172 # ausearch -c 'perf' --raw | audit2allow -M
173
174 module my-perf 1.0;
175
176 require {
177 type unconfined_t;
178 class perf_event { cpu kernel open rea
179 }
180
181 #============= unconfined_t ==============
182 allow unconfined_t self:perf_event { cpu ke
183
184 Now compile, pack and load my-perf.pp extensio
185
186 # checkmodule -M -m -o my-perf.mod my-perf.
187 # semodule_package -o my-perf.pp -m my-perf
188 # semodule -X 300 -i my-perf.pp
189
190 After all those taken steps above access to pe
191 now be allowed by the policy settings. Check a
192
193 # perf stat
194 ^C
195 Performance counter stats for 'system wide'
196
197 36,387.41 msec cpu-clock
198 2,629 context-switches
199 57 cpu-migrations
200 1 page-faults
201 263,721,559 cycles
202 175,746,713 instructions
203 19,628,798 branches
204 1,259,201 branch-misses
205
206 4.549061439 seconds time elapsed
207
208 The generated perf-event.pp related policy ext
209 from the kernel using this command:
210
211 # semodule -X 300 -r my-perf
212
213 Alternatively the module can be temporarily di
214 these two commands:
215
216 # semodule -d my-perf
217 # semodule -e my-perf
218
219 If something went wrong
220 =======================
221
222 To turn SELinux into Permissive mode:
223 # setenforce 0
224
225 To fully disable SELinux during kernel boot [3
226
227 To remove SELinux labeling from local filesyst
228 # find / -mount -print0 | xargs -0 setfattr
229
230 To fully turn SELinux off a machine set SELINU
231
232 Links
233 =====
234
235 [1] https://download-ib01.fedoraproject.org/pu
236 [2] https://docs.fedoraproject.org/en-US/Fedor
237 [3] https://danwalsh.livejournal.com/10972.htm
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.