forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
237 lines
9.3 KiB
237 lines
9.3 KiB
Overview |
|
======== |
|
|
|
For general security related questions of perf_event_open() syscall usage, |
|
performance monitoring and observability operations by Perf see here: |
|
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html |
|
|
|
Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall |
|
============================================================================== |
|
|
|
LSM hooks for mandatory access control for perf_event_open() syscall can be |
|
used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with |
|
Targeted policy with perf_event_open() access control capabilities: |
|
|
|
1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31) |
|
and install it so rpmbuild directory would exist in the current working directory: |
|
|
|
# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm |
|
|
|
2. Get into rpmbuild/SPECS directory and unpack the source code: |
|
|
|
# rpmbuild -bp selinux-policy.spec |
|
|
|
3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02 |
|
directory and apply it: |
|
|
|
# patch -p1 < selinux-policy-perf-events-perfmon.patch |
|
patching file policy/flask/access_vectors |
|
patching file policy/flask/security_classes |
|
# cat selinux-policy-perf-events-perfmon.patch |
|
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors |
|
--- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300 |
|
+++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300 |
|
@@ -174,6 +174,7 @@ |
|
wake_alarm |
|
block_suspend |
|
audit_read |
|
+ perfmon |
|
} |
|
|
|
# |
|
@@ -1099,3 +1100,15 @@ |
|
|
|
class xdp_socket |
|
inherits socket |
|
+ |
|
+class perf_event |
|
+{ |
|
+ open |
|
+ cpu |
|
+ kernel |
|
+ tracepoint |
|
+ read |
|
+ write |
|
+} |
|
+ |
|
+ |
|
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes |
|
--- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300 |
|
+++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300 |
|
@@ -200,4 +200,6 @@ |
|
|
|
class xdp_socket |
|
|
|
+class perf_event |
|
+ |
|
# FLASK |
|
|
|
4. Get into rpmbuild/SPECS directory and build policy packages from patched sources: |
|
|
|
# rpmbuild --noclean --noprep -ba selinux-policy.spec |
|
|
|
so you have this: |
|
|
|
# ls -alh rpmbuild/RPMS/noarch/ |
|
total 33M |
|
drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 . |
|
drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 .. |
|
-rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm |
|
-rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm |
|
|
|
5. Install SELinux packages from Fedora repo, if not already done so, and |
|
update with the patched rpms above: |
|
|
|
# rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-* |
|
|
|
6. Enable SELinux Permissive mode for Targeted policy, if not already done so: |
|
|
|
# cat /etc/selinux/config |
|
|
|
# This file controls the state of SELinux on the system. |
|
# SELINUX= can take one of these three values: |
|
# enforcing - SELinux security policy is enforced. |
|
# permissive - SELinux prints warnings instead of enforcing. |
|
# disabled - No SELinux policy is loaded. |
|
SELINUX=permissive |
|
# SELINUXTYPE= can take one of these three values: |
|
# targeted - Targeted processes are protected, |
|
# minimum - Modification of targeted policy. Only selected processes are protected. |
|
# mls - Multi Level Security protection. |
|
SELINUXTYPE=targeted |
|
|
|
7. Enable filesystem SELinux labeling at the next reboot: |
|
|
|
# touch /.autorelabel |
|
|
|
8. Reboot machine and it will label filesystems and load Targeted policy into the kernel; |
|
|
|
9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem; |
|
|
|
10. Check that SELinux is enabled and in Permissive mode |
|
|
|
# getenforce |
|
Permissive |
|
|
|
11. Turn SELinux into Enforcing mode: |
|
|
|
# setenforce 1 |
|
# getenforce |
|
Enforcing |
|
|
|
Opening access to perf_event_open() syscall on Fedora with SELinux |
|
================================================================== |
|
|
|
Access to performance monitoring and observability operations by Perf |
|
can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged |
|
processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel |
|
and prevent unauthorized access to perf_event_open() syscall. In such case |
|
Perf tool provides a message similar to the one below: |
|
|
|
# perf stat |
|
Error: |
|
Access to performance monitoring and observability operations is limited. |
|
Enforced MAC policy settings (SELinux) can limit access to performance |
|
monitoring and observability operations. Inspect system audit records for |
|
more perf_event access control information and adjusting the policy. |
|
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open |
|
access to performance monitoring and observability operations for users |
|
without CAP_PERFMON or CAP_SYS_ADMIN Linux capability. |
|
perf_event_paranoid setting is -1: |
|
-1: Allow use of (almost) all events by all users |
|
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK |
|
>= 0: Disallow raw and ftrace function tracepoint access |
|
>= 1: Disallow CPU event access |
|
>= 2: Disallow kernel profiling |
|
To make the adjusted perf_event_paranoid setting permanent preserve it |
|
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) |
|
|
|
To make sure that access is limited by MAC policy settings inspect system |
|
audit records using journalctl command or /var/log/audit/audit.log so the |
|
output would contain AVC denied records related to perf_event: |
|
|
|
# journalctl --reverse --no-pager | grep perf_event |
|
|
|
python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. |
|
If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default. |
|
setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de |
|
audit[1318098]: AVC avc: denied { open } for pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 |
|
|
|
In order to open access to perf_event_open() syscall MAC policy settings can |
|
require to be extended. On SELinux system this can be done by loading a special |
|
policy module extending base policy settings. Perf related policy module can |
|
be generated using the system audit records about blocking perf_event access. |
|
Run the command below to generate my-perf.te policy extension file with |
|
perf_event related rules: |
|
|
|
# ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te |
|
|
|
module my-perf 1.0; |
|
|
|
require { |
|
type unconfined_t; |
|
class perf_event { cpu kernel open read tracepoint write }; |
|
} |
|
|
|
#============= unconfined_t ============== |
|
allow unconfined_t self:perf_event { cpu kernel open read tracepoint write }; |
|
|
|
Now compile, pack and load my-perf.pp extension module into the kernel: |
|
|
|
# checkmodule -M -m -o my-perf.mod my-perf.te |
|
# semodule_package -o my-perf.pp -m my-perf.mod |
|
# semodule -X 300 -i my-perf.pp |
|
|
|
After all those taken steps above access to perf_event_open() syscall should |
|
now be allowed by the policy settings. Check access running Perf like this: |
|
|
|
# perf stat |
|
^C |
|
Performance counter stats for 'system wide': |
|
|
|
36,387.41 msec cpu-clock # 7.999 CPUs utilized |
|
2,629 context-switches # 0.072 K/sec |
|
57 cpu-migrations # 0.002 K/sec |
|
1 page-faults # 0.000 K/sec |
|
263,721,559 cycles # 0.007 GHz |
|
175,746,713 instructions # 0.67 insn per cycle |
|
19,628,798 branches # 0.539 M/sec |
|
1,259,201 branch-misses # 6.42% of all branches |
|
|
|
4.549061439 seconds time elapsed |
|
|
|
The generated perf-event.pp related policy extension module can be removed |
|
from the kernel using this command: |
|
|
|
# semodule -X 300 -r my-perf |
|
|
|
Alternatively the module can be temporarily disabled and enabled back using |
|
these two commands: |
|
|
|
# semodule -d my-perf |
|
# semodule -e my-perf |
|
|
|
If something went wrong |
|
======================= |
|
|
|
To turn SELinux into Permissive mode: |
|
# setenforce 0 |
|
|
|
To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0 |
|
|
|
To remove SELinux labeling from local filesystems: |
|
# find / -mount -print0 | xargs -0 setfattr -h -x security.selinux |
|
|
|
To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot; |
|
|
|
Links |
|
===== |
|
|
|
[1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm |
|
[2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html |
|
[3] https://danwalsh.livejournal.com/10972.html
|
|
|