[PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control
alexey.budankov at linux.intel.com
Tue May 19 07:34:18 UTC 2020
On 18.05.2020 19:43, Alexey Budankov wrote:
> On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote:
>> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu:
>>> Implement selinux sysfs check to see the system is in enforcing
>>> mode and print warning message with pointer to check audit logs.
>> There were some changes in this area meanwhile, so I had to apply the
>> evsel.c by hand, when I push this please double check everything is ok,
> Will do. I appreciate your integrating effort.
Checked at tmp.perf/core branch. The message looks like this:
[root at nntvtune39 acme.tmp]# tools/perf/perf stat
Access to performance monitoring and observability operations is limited.
Enforced MAC policy settings (SELinux) can limit access to performance
monitoring and observability operations. Inspect system audit records for
more perf_event access control information and adjusting the policy.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for users
without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
perf_event_paranoid setting is 2:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
Edited patch at security.txt didn't apply cleanly. It requires white space
prior tab in the first block for wake_alarm etc till perfmon:
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
--- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
@@ -174,6 +174,7 @@
@@ -1099,3 +1100,15 @@
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
--- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
@@ -200,4 +200,6 @@
More information about the Linux-security-module-archive