[PATCH v3 2/3] perf tool: make Perf tool aware of SELinux access control

Arnaldo Carvalho de Melo arnaldo.melo at gmail.com
Tue May 19 18:10:13 UTC 2020


Em Tue, May 19, 2020 at 10:34:18AM +0300, Alexey Budankov escreveu:
> 
> On 18.05.2020 19:43, Alexey Budankov wrote:
> > 
> > On 18.05.2020 18:58, Arnaldo Carvalho de Melo wrote:
> >> Em Thu, Apr 30, 2020 at 10:15:57AM +0300, Alexey Budankov escreveu:
> >>>
> >>> Implement selinux sysfs check to see the system is in enforcing
> >>> mode and print warning message with pointer to check audit logs.
> >>
> >> There were some changes in this area meanwhile, so I had to apply the
> >> evsel.c by hand, when I push this please double check everything is ok,
> > 
> > Will do. I appreciate your integrating effort.
> 
> Checked at tmp.perf/core branch. The message looks like this:
> 
> [root at nntvtune39 acme.tmp]# tools/perf/perf stat
> Error:
> Access to performance monitoring and observability operations is limited.
> Enforced MAC policy settings (SELinux) can limit access to performance
> monitoring and observability operations. Inspect system audit records for
> more perf_event access control information and adjusting the policy.
> Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
> access to performance monitoring and observability operations for users
> without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
> perf_event_paranoid setting is 2:
>   -1: Allow use of (almost) all events by all users
>       Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> >= 0: Disallow raw and ftrace function tracepoint access
> >= 1: Disallow CPU event access
> >= 2: Disallow kernel profiling
> To make the adjusted perf_event_paranoid setting permanent preserve it
> in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
> 
> Edited patch at security.txt didn't apply cleanly. It requires white space
> prior tab in the first block for wake_alarm etc till perfmon:

I see, I'll leave it there then so that it applies cleanly to those
policy files.
 
> ---8<---
> diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
> --- a/policy/flask/access_vectors	2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/access_vectors	2020-02-28 23:37:25.000000000 +0300
> @@ -174,6 +174,7 @@
>  	wake_alarm
>  	block_suspend
>  	audit_read
> +	perfmon
>  }
> 
>  #
> @@ -1099,3 +1100,15 @@
> 
>  class xdp_socket
>  inherits socket
> +
> +class perf_event
> +{
> +	open
> +	cpu
> +	kernel
> +	tracepoint
> +	read
> +	write
> +}
> +
> +
> diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
> --- a/policy/flask/security_classes	2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/security_classes	2020-02-28 21:35:17.000000000 +0300
> @@ -200,4 +200,6 @@
> 
>  class xdp_socket
> 
> +class perf_event
> +
>  # FLASK
> 
> ---8<---
> 
> ~Alexey

-- 

- Arnaldo



More information about the Linux-security-module-archive mailing list