TOMOYO Linux Cross Reference
Linux/tools/perf/Documentation/security.txt

   Overview
   ========
   
   For general security related questions of perf_event_open() syscall usage,
   performance monitoring and observability operations by Perf see here:
   https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
   
   Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
   ==============================================================================
  
  LSM hooks for mandatory access control for perf_event_open() syscall can be
  used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
  Targeted policy with perf_event_open() access control capabilities:
  
  1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
     and install it so rpmbuild directory would exist in the current working directory:
  
     # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
  
  2. Get into rpmbuild/SPECS directory and unpack the source code:
  
     # rpmbuild -bp selinux-policy.spec
  
  3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
     directory and apply it:
  
     # patch -p1 < selinux-policy-perf-events-perfmon.patch
     patching file policy/flask/access_vectors
     patching file policy/flask/security_classes
     # cat selinux-policy-perf-events-perfmon.patch
  diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
  --- a/policy/flask/access_vectors       2020-02-04 18:19:53.000000000 +0300
  +++ b/policy/flask/access_vectors       2020-02-28 23:37:25.000000000 +0300
  @@ -174,6 +174,7 @@
          wake_alarm
          block_suspend
          audit_read
  +       perfmon
   }
   
   #
  @@ -1099,3 +1100,15 @@
   
   class xdp_socket
   inherits socket
  +
  +class perf_event
  +{
  +       open
  +       cpu
  +       kernel
  +       tracepoint
  +       read
  +       write
  +}
  +
  +
  diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
  --- a/policy/flask/security_classes     2020-02-04 18:19:53.000000000 +0300
  +++ b/policy/flask/security_classes     2020-02-28 21:35:17.000000000 +0300
  @@ -200,4 +200,6 @@
   
   class xdp_socket
   
  +class perf_event
  +
   # FLASK
  
  4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:
  
     # rpmbuild --noclean --noprep -ba selinux-policy.spec
  
     so you have this:
  
     # ls -alh rpmbuild/RPMS/noarch/
     total 33M
     drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
     drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
     -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root  12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
     -rw-r--r--. 1 root root  14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
  
  5. Install SELinux packages from Fedora repo, if not already done so, and
     update with the patched rpms above:
  
     # rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
  
  6. Enable SELinux Permissive mode for Targeted policy, if not already done so:
  
     # cat /etc/selinux/config
  
     # This file controls the state of SELinux on the system.
     # SELINUX= can take one of these three values:
     #     enforcing - SELinux security policy is enforced.
     #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of these three values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected.
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
 
 7. Enable filesystem SELinux labeling at the next reboot:
 
    # touch /.autorelabel
 
 8. Reboot machine and it will label filesystems and load Targeted policy into the kernel;
 
 9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem;
 
 10. Check that SELinux is enabled and in Permissive mode
 
     # getenforce
     Permissive
 
 11. Turn SELinux into Enforcing mode:
 
     # setenforce 1
     # getenforce
     Enforcing
 
 Opening access to perf_event_open() syscall on Fedora with SELinux
 ==================================================================
 
 Access to performance monitoring and observability operations by Perf
 can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged
 processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel
 and prevent unauthorized access to perf_event_open() syscall. In such case
 Perf tool provides a message similar to the one below:
 
    # perf stat
    Error:
    Access to performance monitoring and observability operations is limited.
    Enforced MAC policy settings (SELinux) can limit access to performance
    monitoring and observability operations. Inspect system audit records for
    more perf_event access control information and adjusting the policy.
    Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
    access to performance monitoring and observability operations for users
    without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
    perf_event_paranoid setting is -1:
      -1: Allow use of (almost) all events by all users
          Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
    >= 0: Disallow raw and ftrace function tracepoint access
    >= 1: Disallow CPU event access
    >= 2: Disallow kernel profiling
    To make the adjusted perf_event_paranoid setting permanent preserve it
    in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
 
 To make sure that access is limited by MAC policy settings inspect system
 audit records using journalctl command or /var/log/audit/audit.log so the
 output would contain AVC denied records related to perf_event:
 
    # journalctl --reverse --no-pager | grep perf_event
 
    python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t.
                                          If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default.
    setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de
    audit[1318098]: AVC avc:  denied  { open } for  pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0
 
 In order to open access to perf_event_open() syscall MAC policy settings can
 require to be extended. On SELinux system this can be done by loading a special
 policy module extending base policy settings. Perf related policy module can
 be generated using the system audit records about blocking perf_event access.
 Run the command below to generate my-perf.te policy extension file with
 perf_event related rules:
 
    # ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te
 
    module my-perf 1.0;
 
    require {
         type unconfined_t;
         class perf_event { cpu kernel open read tracepoint write };
    }
 
    #============= unconfined_t ==============
    allow unconfined_t self:perf_event { cpu kernel open read tracepoint write };
 
 Now compile, pack and load my-perf.pp extension module into the kernel:
 
    # checkmodule -M -m -o my-perf.mod my-perf.te
    # semodule_package -o my-perf.pp -m my-perf.mod
    # semodule -X 300 -i my-perf.pp
 
 After all those taken steps above access to perf_event_open() syscall should
 now be allowed by the policy settings. Check access running Perf like this:
 
    # perf stat
    ^C
    Performance counter stats for 'system wide':
 
          36,387.41 msec cpu-clock                 #    7.999 CPUs utilized
              2,629      context-switches          #    0.072 K/sec
                 57      cpu-migrations            #    0.002 K/sec
                  1      page-faults               #    0.000 K/sec
        263,721,559      cycles                    #    0.007 GHz
        175,746,713      instructions              #    0.67  insn per cycle
         19,628,798      branches                  #    0.539 M/sec
          1,259,201      branch-misses             #    6.42% of all branches
 
        4.549061439 seconds time elapsed
 
 The generated perf-event.pp related policy extension module can be removed
 from the kernel using this command:
 
    # semodule -X 300 -r my-perf
 
 Alternatively the module can be temporarily disabled and enabled back using
 these two commands:
 
    # semodule -d my-perf
    # semodule -e my-perf
 
 If something went wrong
 =======================
 
 To turn SELinux into Permissive mode:
    # setenforce 0
 
 To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0
 
 To remove SELinux labeling from local filesystems:
    # find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
 
 To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot;
 
 Links
 =====
 
 [1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm
 [2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
 [3] https://danwalsh.livejournal.com/10972.html

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.