diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-12-20 22:21:06 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-12-20 22:21:06 +0300 |
commit | 48342fc07272eec454fc5b400ed3ce3739c7e950 (patch) | |
tree | 29a2f05d5122091b35c131c082d6a43e87ad5f0a /Documentation/admin-guide | |
parent | 6a447b0e3151893f6d4a889956553c06d2e775c6 (diff) | |
parent | 2e7f545096f954a9726c9415763dd0bfbcac47e0 (diff) | |
download | linux-48342fc07272eec454fc5b400ed3ce3739c7e950.tar.xz |
Merge tag 'perf-tools-2020-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
Pull perf tools updates from Arnaldo Carvalho de Melo:
"perf record:
- Fix memory leak when using '--user-regs=?' to list registers
aarch64 support:
- Add aarch64 registers to 'perf record's' --user-regs command line
option
aarch64 hw tracing support:
- Decode memory tagging properties
- Improve ARM's auxtrace support
- Add support for ARMv8.3-SPE
perf kvm:
- Add kvm-stat for arm64
perf stat:
- Add --quiet option
Cleanups:
- Fixup function names wrt what is in libperf and what is in
tools/perf
Build:
- Allow building without libbpf in older systems
New kernel features:
- Initial support for data/code page size sample type, more to come
perf annotate:
- Support MIPS instruction extended support
perf stack unwinding:
- Fix separate debug info files when using elfutils' libdw's unwinder
perf vendor events:
- Update Intel's Skylake client events to v50
- Add JSON metrics for ARM's imx8mm DDR Perf
- Support printing metric groups for system PMUs
perf build id:
- Prep work for supporting having the build id provided by the kernel
in PERF_RECORD_MMAP2 metadata events
perf stat:
- Support regex pattern in --for-each-cgroup
pipe mode:
- Allow to use stdio functions for pipe mode
- Support 'perf report's' --header-only for pipe mode
- Support pipe mode display in 'perf evlist'
Documentation:
- Update information about CAP_PERFMON"
* tag 'perf-tools-2020-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: (134 commits)
perf mem: Factor out a function to generate sort order
perf sort: Add sort option for data page size
perf script: Support data page size
tools headers UAPI: Update asm-generic/unistd.h
tools headers cpufeatures: Sync with the kernel sources
tools headers UAPI: Sync linux/prctl.h with the kernel sources
tools headers UAPI: Sync linux/fscrypt.h with the kernel sources
tools headers UAPI: Sync linux/const.h with the kernel headers
tools arch x86: Sync the msr-index.h copy with the kernel sources
perf trace beauty: Update copy of linux/socket.h with the kernel sources
tools headers: Update linux/ctype.h with the kernel sources
tools headers: Add conditional __has_builtin()
tools headers: Get tools's linux/compiler.h closer to the kernel's
tools headers UAPI: Sync linux/stat.h with the kernel sources
tools headers: Syncronize linux/build_bug.h with the kernel sources
perf tools: Reformat record's control fd man text
perf config: Fix example command in manpage to conform to syntax specified in the SYNOPSIS section.
perf test: Make sample-parsing test aware of PERF_SAMPLE_{CODE,DATA}_PAGE_SIZE
perf tools: Add support to read build id from compressed elf
perf debug: Add debug_set_file function
...
Diffstat (limited to 'Documentation/admin-guide')
-rw-r--r-- | Documentation/admin-guide/perf-security.rst | 81 |
1 files changed, 70 insertions, 11 deletions
diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst index 1307b5274a0f..904e4eb37f99 100644 --- a/Documentation/admin-guide/perf-security.rst +++ b/Documentation/admin-guide/perf-security.rst @@ -84,11 +84,14 @@ capabilities then providing the process with CAP_PERFMON capability singly is recommended as the preferred secure approach to resolve double access denial logging related to usage of performance monitoring and observability. -Unprivileged processes using perf_events system call are also subject -for PTRACE_MODE_READ_REALCREDS ptrace access mode check [7]_ , whose -outcome determines whether monitoring is permitted. So unprivileged -processes provided with CAP_SYS_PTRACE capability are effectively -permitted to pass the check. +Prior Linux v5.9 unprivileged processes using perf_events system call +are also subject for PTRACE_MODE_READ_REALCREDS ptrace access mode check +[7]_ , whose outcome determines whether monitoring is permitted. +So unprivileged processes provided with CAP_SYS_PTRACE capability are +effectively permitted to pass the check. Starting from Linux v5.9 +CAP_SYS_PTRACE capability is not required and CAP_PERFMON is enough to +be provided for processes to make performance monitoring and observability +operations. Other capabilities being granted to unprivileged processes can effectively enable capturing of additional data required for later @@ -99,11 +102,11 @@ CAP_SYSLOG capability permits reading kernel space memory addresses from Privileged Perf users groups --------------------------------- -Mechanisms of capabilities, privileged capability-dumb files [6]_ and -file system ACLs [10]_ can be used to create dedicated groups of -privileged Perf users who are permitted to execute performance monitoring -and observability without scope limits. The following steps can be -taken to create such groups of privileged Perf users. +Mechanisms of capabilities, privileged capability-dumb files [6]_, +file system ACLs [10]_ and sudo [15]_ utility can be used to create +dedicated groups of privileged Perf users who are permitted to execute +performance monitoring and observability without limits. The following +steps can be taken to create such groups of privileged Perf users. 1. Create perf_users group of privileged Perf users, assign perf_users group to Perf tool executable and limit access to the executable for @@ -133,7 +136,7 @@ taken to create such groups of privileged Perf users. # getcap perf perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep -If the libcap installed doesn't yet support "cap_perfmon", use "38" instead, +If the libcap [16]_ installed doesn't yet support "cap_perfmon", use "38" instead, i.e.: :: @@ -159,6 +162,60 @@ performance monitoring and observability by using functionality of the configured Perf tool executable that, when executes, passes perf_events subsystem scope checks. +In case Perf tool executable can't be assigned required capabilities (e.g. +file system is mounted with nosuid option or extended attributes are +not supported by the file system) then creation of the capabilities +privileged environment, naturally shell, is possible. The shell provides +inherent processes with CAP_PERFMON and other required capabilities so that +performance monitoring and observability operations are available in the +environment without limits. Access to the environment can be open via sudo +utility for members of perf_users group only. In order to create such +environment: + +1. Create shell script that uses capsh utility [16]_ to assign CAP_PERFMON + and other required capabilities into ambient capability set of the shell + process, lock the process security bits after enabling SECBIT_NO_SETUID_FIXUP, + SECBIT_NOROOT and SECBIT_NO_CAP_AMBIENT_RAISE bits and then change + the process identity to sudo caller of the script who should essentially + be a member of perf_users group: + +:: + + # ls -alh /usr/local/bin/perf.shell + -rwxr-xr-x. 1 root root 83 Oct 13 23:57 /usr/local/bin/perf.shell + # cat /usr/local/bin/perf.shell + exec /usr/sbin/capsh --iab=^cap_perfmon --secbits=239 --user=$SUDO_USER -- -l + +2. Extend sudo policy at /etc/sudoers file with a rule for perf_users group: + +:: + + # grep perf_users /etc/sudoers + %perf_users ALL=/usr/local/bin/perf.shell + +3. Check that members of perf_users group have access to the privileged + shell and have CAP_PERFMON and other required capabilities enabled + in permitted, effective and ambient capability sets of an inherent process: + +:: + + $ id + uid=1003(capsh_test) gid=1004(capsh_test) groups=1004(capsh_test),1000(perf_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + $ sudo perf.shell + [sudo] password for capsh_test: + $ grep Cap /proc/self/status + CapInh: 0000004000000000 + CapPrm: 0000004000000000 + CapEff: 0000004000000000 + CapBnd: 000000ffffffffff + CapAmb: 0000004000000000 + $ capsh --decode=0000004000000000 + 0x0000004000000000=cap_perfmon + +As a result, members of perf_users group have access to the privileged +environment where they can use tools employing performance monitoring APIs +governed by CAP_PERFMON Linux capability. + This specific access control management is only available to superuser or root running processes with CAP_SETPCAP, CAP_SETFCAP [6]_ capabilities. @@ -264,3 +321,5 @@ Bibliography .. [12] `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_ .. [13] `<https://sites.google.com/site/fullycapable>`_ .. [14] `<http://man7.org/linux/man-pages/man8/auditd.8.html>`_ +.. [15] `<https://man7.org/linux/man-pages/man8/sudo.8.html>`_ +.. [16] `<https://git.kernel.org/pub/scm/libs/libcap/libcap.git/>`_ |