perf docs: Introduce security.txt file to document related issues
Publish instructions on how to apply LSM hooks for access control to perf_event_open() syscall on Fedora distro with Targeted SELinux policy and then manage access to the syscall. Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Andi Kleen <ak@linux.intel.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org Link: http://lore.kernel.org/lkml/290ded0a-c422-3749-5180-918fed1ee30f@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
This commit is contained in:
Родитель
c1034eb069
Коммит
bd7c1c6671
|
@ -0,0 +1,237 @@
|
|||
Overview
|
||||
========
|
||||
|
||||
For general security related questions of perf_event_open() syscall usage,
|
||||
performance monitoring and observability operations by Perf see here:
|
||||
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
|
||||
|
||||
Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
|
||||
==============================================================================
|
||||
|
||||
LSM hooks for mandatory access control for perf_event_open() syscall can be
|
||||
used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
|
||||
Targeted policy with perf_event_open() access control capabilities:
|
||||
|
||||
1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
|
||||
and install it so rpmbuild directory would exist in the current working directory:
|
||||
|
||||
# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
|
||||
|
||||
2. Get into rpmbuild/SPECS directory and unpack the source code:
|
||||
|
||||
# rpmbuild -bp selinux-policy.spec
|
||||
|
||||
3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
|
||||
directory and apply it:
|
||||
|
||||
# patch -p1 < selinux-policy-perf-events-perfmon.patch
|
||||
patching file policy/flask/access_vectors
|
||||
patching file policy/flask/security_classes
|
||||
# cat selinux-policy-perf-events-perfmon.patch
|
||||
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
|
||||
--- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
|
||||
+++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
|
||||
@@ -174,6 +174,7 @@
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
+ perfmon
|
||||
}
|
||||
|
||||
#
|
||||
@@ -1099,3 +1100,15 @@
|
||||
|
||||
class xdp_socket
|
||||
inherits socket
|
||||
+
|
||||
+class perf_event
|
||||
+{
|
||||
+ open
|
||||
+ cpu
|
||||
+ kernel
|
||||
+ tracepoint
|
||||
+ read
|
||||
+ write
|
||||
+}
|
||||
+
|
||||
+
|
||||
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
|
||||
--- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
|
||||
+++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
|
||||
@@ -200,4 +200,6 @@
|
||||
|
||||
class xdp_socket
|
||||
|
||||
+class perf_event
|
||||
+
|
||||
# FLASK
|
||||
|
||||
4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:
|
||||
|
||||
# rpmbuild --noclean --noprep -ba selinux-policy.spec
|
||||
|
||||
so you have this:
|
||||
|
||||
# ls -alh rpmbuild/RPMS/noarch/
|
||||
total 33M
|
||||
drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
|
||||
drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
|
||||
-rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
|
||||
-rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
|
||||
|
||||
5. Install SELinux packages from Fedora repo, if not already done so, and
|
||||
update with the patched rpms above:
|
||||
|
||||
# rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
|
||||
|
||||
6. Enable SELinux Permissive mode for Targeted policy, if not already done so:
|
||||
|
||||
# cat /etc/selinux/config
|
||||
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
# disabled - No SELinux policy is loaded.
|
||||
SELINUX=permissive
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=targeted
|
||||
|
||||
7. Enable filesystem SELinux labeling at the next reboot:
|
||||
|
||||
# touch /.autorelabel
|
||||
|
||||
8. Reboot machine and it will label filesystems and load Targeted policy into the kernel;
|
||||
|
||||
9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem;
|
||||
|
||||
10. Check that SELinux is enabled and in Permissive mode
|
||||
|
||||
# getenforce
|
||||
Permissive
|
||||
|
||||
11. Turn SELinux into Enforcing mode:
|
||||
|
||||
# setenforce 1
|
||||
# getenforce
|
||||
Enforcing
|
||||
|
||||
Opening access to perf_event_open() syscall on Fedora with SELinux
|
||||
==================================================================
|
||||
|
||||
Access to performance monitoring and observability operations by Perf
|
||||
can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged
|
||||
processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel
|
||||
and prevent unauthorized access to perf_event_open() syscall. In such case
|
||||
Perf tool provides a message similar to the one below:
|
||||
|
||||
# perf stat
|
||||
Error:
|
||||
Access to performance monitoring and observability operations is limited.
|
||||
Enforced MAC policy settings (SELinux) can limit access to performance
|
||||
monitoring and observability operations. Inspect system audit records for
|
||||
more perf_event access control information and adjusting the policy.
|
||||
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
|
||||
access to performance monitoring and observability operations for users
|
||||
without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
|
||||
perf_event_paranoid setting is -1:
|
||||
-1: Allow use of (almost) all events by all users
|
||||
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
|
||||
>= 0: Disallow raw and ftrace function tracepoint access
|
||||
>= 1: Disallow CPU event access
|
||||
>= 2: Disallow kernel profiling
|
||||
To make the adjusted perf_event_paranoid setting permanent preserve it
|
||||
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
|
||||
|
||||
To make sure that access is limited by MAC policy settings inspect system
|
||||
audit records using journalctl command or /var/log/audit/audit.log so the
|
||||
output would contain AVC denied records related to perf_event:
|
||||
|
||||
# journalctl --reverse --no-pager | grep perf_event
|
||||
|
||||
python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t.
|
||||
If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default.
|
||||
setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de
|
||||
audit[1318098]: AVC avc: denied { open } for pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0
|
||||
|
||||
In order to open access to perf_event_open() syscall MAC policy settings can
|
||||
require to be extended. On SELinux system this can be done by loading a special
|
||||
policy module extending base policy settings. Perf related policy module can
|
||||
be generated using the system audit records about blocking perf_event access.
|
||||
Run the command below to generate my-perf.te policy extension file with
|
||||
perf_event related rules:
|
||||
|
||||
# ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te
|
||||
|
||||
module my-perf 1.0;
|
||||
|
||||
require {
|
||||
type unconfined_t;
|
||||
class perf_event { cpu kernel open read tracepoint write };
|
||||
}
|
||||
|
||||
#============= unconfined_t ==============
|
||||
allow unconfined_t self:perf_event { cpu kernel open read tracepoint write };
|
||||
|
||||
Now compile, pack and load my-perf.pp extension module into the kernel:
|
||||
|
||||
# checkmodule -M -m -o my-perf.mod my-perf.te
|
||||
# semodule_package -o my-perf.pp -m my-perf.mod
|
||||
# semodule -X 300 -i my-perf.pp
|
||||
|
||||
After all those taken steps above access to perf_event_open() syscall should
|
||||
now be allowed by the policy settings. Check access running Perf like this:
|
||||
|
||||
# perf stat
|
||||
^C
|
||||
Performance counter stats for 'system wide':
|
||||
|
||||
36,387.41 msec cpu-clock # 7.999 CPUs utilized
|
||||
2,629 context-switches # 0.072 K/sec
|
||||
57 cpu-migrations # 0.002 K/sec
|
||||
1 page-faults # 0.000 K/sec
|
||||
263,721,559 cycles # 0.007 GHz
|
||||
175,746,713 instructions # 0.67 insn per cycle
|
||||
19,628,798 branches # 0.539 M/sec
|
||||
1,259,201 branch-misses # 6.42% of all branches
|
||||
|
||||
4.549061439 seconds time elapsed
|
||||
|
||||
The generated perf-event.pp related policy extension module can be removed
|
||||
from the kernel using this command:
|
||||
|
||||
# semodule -X 300 -r my-perf
|
||||
|
||||
Alternatively the module can be temporarily disabled and enabled back using
|
||||
these two commands:
|
||||
|
||||
# semodule -d my-perf
|
||||
# semodule -e my-perf
|
||||
|
||||
If something went wrong
|
||||
=======================
|
||||
|
||||
To turn SELinux into Permissive mode:
|
||||
# setenforce 0
|
||||
|
||||
To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0
|
||||
|
||||
To remove SELinux labeling from local filesystems:
|
||||
# find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
|
||||
|
||||
To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot;
|
||||
|
||||
Links
|
||||
=====
|
||||
|
||||
[1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm
|
||||
[2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
|
||||
[3] https://danwalsh.livejournal.com/10972.html
|
Загрузка…
Ссылка в новой задаче