~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/perf/Documentation/security.txt

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /tools/perf/Documentation/security.txt (Version linux-6.12-rc7) and /tools/perf/Documentation/security.txt (Version unix-v6-master)


  1 Overview                                          
  2 ========                                          
  3                                                   
  4 For general security related questions of perf    
  5 performance monitoring and observability opera    
  6 https://www.kernel.org/doc/html/latest/admin-g    
  7                                                   
  8 Enabling LSM based mandatory access control (M    
  9 ==============================================    
 10                                                   
 11 LSM hooks for mandatory access control for per    
 12 used starting from Linux v5.3. Below are the s    
 13 Targeted policy with perf_event_open() access     
 14                                                   
 15 1. Download selinux-policy SRPM package (e.g.     
 16    and install it so rpmbuild directory would     
 17                                                   
 18    # rpm -Uhv selinux-policy-3.14.4-48.fc31.sr    
 19                                                   
 20 2. Get into rpmbuild/SPECS directory and unpac    
 21                                                   
 22    # rpmbuild -bp selinux-policy.spec             
 23                                                   
 24 3. Place patch below at rpmbuild/BUILD/selinux    
 25    directory and apply it:                        
 26                                                   
 27    # patch -p1 < selinux-policy-perf-events-pe    
 28    patching file policy/flask/access_vectors      
 29    patching file policy/flask/security_classes    
 30    # cat selinux-policy-perf-events-perfmon.pa    
 31 diff -Nura a/policy/flask/access_vectors b/pol    
 32 --- a/policy/flask/access_vectors       2020-0    
 33 +++ b/policy/flask/access_vectors       2020-0    
 34 @@ -174,6 +174,7 @@                               
 35         wake_alarm                                
 36         block_suspend                             
 37         audit_read                                
 38 +       perfmon                                   
 39  }                                                
 40                                                   
 41  #                                                
 42 @@ -1099,3 +1100,15 @@                            
 43                                                   
 44  class xdp_socket                                 
 45  inherits socket                                  
 46 +                                                 
 47 +class perf_event                                 
 48 +{                                                
 49 +       open                                      
 50 +       cpu                                       
 51 +       kernel                                    
 52 +       tracepoint                                
 53 +       read                                      
 54 +       write                                     
 55 +}                                                
 56 +                                                 
 57 +                                                 
 58 diff -Nura a/policy/flask/security_classes b/p    
 59 --- a/policy/flask/security_classes     2020-0    
 60 +++ b/policy/flask/security_classes     2020-0    
 61 @@ -200,4 +200,6 @@                               
 62                                                   
 63  class xdp_socket                                 
 64                                                   
 65 +class perf_event                                 
 66 +                                                 
 67  # FLASK                                          
 68                                                   
 69 4. Get into rpmbuild/SPECS directory and build    
 70                                                   
 71    # rpmbuild --noclean --noprep -ba selinux-p    
 72                                                   
 73    so you have this:                              
 74                                                   
 75    # ls -alh rpmbuild/RPMS/noarch/                
 76    total 33M                                      
 77    drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .    
 78    drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 .    
 79    -rw-r--r--. 1 root root 112K Mar 20 12:16 s    
 80    -rw-r--r--. 1 root root 1.2M Mar 20 12:17 s    
 81    -rw-r--r--. 1 root root 2.3M Mar 20 12:17 s    
 82    -rw-r--r--. 1 root root  12M Mar 20 12:17 s    
 83    -rw-r--r--. 1 root root 4.5M Mar 20 12:16 s    
 84    -rw-r--r--. 1 root root 111K Mar 20 12:16 s    
 85    -rw-r--r--. 1 root root  14M Mar 20 12:17 s    
 86                                                   
 87 5. Install SELinux packages from Fedora repo,     
 88    update with the patched rpms above:            
 89                                                   
 90    # rpm -Uhv rpmbuild/RPMS/noarch/selinux-pol    
 91                                                   
 92 6. Enable SELinux Permissive mode for Targeted    
 93                                                   
 94    # cat /etc/selinux/config                      
 95                                                   
 96    # This file controls the state of SELinux o    
 97    # SELINUX= can take one of these three valu    
 98    #     enforcing - SELinux security policy i    
 99    #     permissive - SELinux prints warnings     
100    #     disabled - No SELinux policy is loade    
101    SELINUX=permissive                             
102    # SELINUXTYPE= can take one of these three     
103    #     targeted - Targeted processes are pro    
104    #     minimum - Modification of targeted po    
105    #     mls - Multi Level Security protection    
106    SELINUXTYPE=targeted                           
107                                                   
108 7. Enable filesystem SELinux labeling at the n    
109                                                   
110    # touch /.autorelabel                          
111                                                   
112 8. Reboot machine and it will label filesystem    
113                                                   
114 9. Login and check that dmesg output doesn't m    
115                                                   
116 10. Check that SELinux is enabled and in Permi    
117                                                   
118     # getenforce                                  
119     Permissive                                    
120                                                   
121 11. Turn SELinux into Enforcing mode:             
122                                                   
123     # setenforce 1                                
124     # getenforce                                  
125     Enforcing                                     
126                                                   
127 Opening access to perf_event_open() syscall on    
128 ==============================================    
129                                                   
130 Access to performance monitoring and observabi    
131 can be limited for superuser or CAP_PERFMON or    
132 processes. MAC policy settings (e.g. SELinux)     
133 and prevent unauthorized access to perf_event_    
134 Perf tool provides a message similar to the on    
135                                                   
136    # perf stat                                    
137    Error:                                         
138    Access to performance monitoring and observ    
139    Enforced MAC policy settings (SELinux) can     
140    monitoring and observability operations. In    
141    more perf_event access control information     
142    Consider adjusting /proc/sys/kernel/perf_ev    
143    access to performance monitoring and observ    
144    without CAP_PERFMON or CAP_SYS_ADMIN Linux     
145    perf_event_paranoid setting is -1:             
146      -1: Allow use of (almost) all events by a    
147          Ignore mlock limit after perf_event_m    
148    >= 0: Disallow raw and ftrace function trac    
149    >= 1: Disallow CPU event access                
150    >= 2: Disallow kernel profiling                
151    To make the adjusted perf_event_paranoid se    
152    in /etc/sysctl.conf (e.g. kernel.perf_event    
153                                                   
154 To make sure that access is limited by MAC pol    
155 audit records using journalctl command or /var    
156 output would contain AVC denied records relate    
157                                                   
158    # journalctl --reverse --no-pager | grep pe    
159                                                   
160    python3[1318099]: SELinux is preventing per    
161                                          If yo    
162    setroubleshoot[1318099]: SELinux is prevent    
163    audit[1318098]: AVC avc:  denied  { open }     
164                                                   
165 In order to open access to perf_event_open() s    
166 require to be extended. On SELinux system this    
167 policy module extending base policy settings.     
168 be generated using the system audit records ab    
169 Run the command below to generate my-perf.te p    
170 perf_event related rules:                         
171                                                   
172    # ausearch -c 'perf' --raw | audit2allow -M    
173                                                   
174    module my-perf 1.0;                            
175                                                   
176    require {                                      
177         type unconfined_t;                        
178         class perf_event { cpu kernel open rea    
179    }                                              
180                                                   
181    #============= unconfined_t ==============     
182    allow unconfined_t self:perf_event { cpu ke    
183                                                   
184 Now compile, pack and load my-perf.pp extensio    
185                                                   
186    # checkmodule -M -m -o my-perf.mod my-perf.    
187    # semodule_package -o my-perf.pp -m my-perf    
188    # semodule -X 300 -i my-perf.pp                
189                                                   
190 After all those taken steps above access to pe    
191 now be allowed by the policy settings. Check a    
192                                                   
193    # perf stat                                    
194    ^C                                             
195    Performance counter stats for 'system wide'    
196                                                   
197          36,387.41 msec cpu-clock                 
198              2,629      context-switches          
199                 57      cpu-migrations            
200                  1      page-faults               
201        263,721,559      cycles                    
202        175,746,713      instructions              
203         19,628,798      branches                  
204          1,259,201      branch-misses             
205                                                   
206        4.549061439 seconds time elapsed           
207                                                   
208 The generated perf-event.pp related policy ext    
209 from the kernel using this command:               
210                                                   
211    # semodule -X 300 -r my-perf                   
212                                                   
213 Alternatively the module can be temporarily di    
214 these two commands:                               
215                                                   
216    # semodule -d my-perf                          
217    # semodule -e my-perf                          
218                                                   
219 If something went wrong                           
220 =======================                           
221                                                   
222 To turn SELinux into Permissive mode:             
223    # setenforce 0                                 
224                                                   
225 To fully disable SELinux during kernel boot [3    
226                                                   
227 To remove SELinux labeling from local filesyst    
228    # find / -mount -print0 | xargs -0 setfattr    
229                                                   
230 To fully turn SELinux off a machine set SELINU    
231                                                   
232 Links                                             
233 =====                                             
234                                                   
235 [1] https://download-ib01.fedoraproject.org/pu    
236 [2] https://docs.fedoraproject.org/en-US/Fedor    
237 [3] https://danwalsh.livejournal.com/10972.htm    
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php