blob: 4fe3b8b1958f6da38d11fa2e43928f75aec8e290 [file] [log] [blame]
For general security related questions of perf_event_open() syscall usage,
performance monitoring and observability operations by Perf see here:
Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
LSM hooks for mandatory access control for perf_event_open() syscall can be
used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
Targeted policy with perf_event_open() access control capabilities:
1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
and install it so rpmbuild directory would exist in the current working directory:
# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
2. Get into rpmbuild/SPECS directory and unpack the source code:
# rpmbuild -bp selinux-policy.spec
3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
directory and apply it:
# patch -p1 < selinux-policy-perf-events-perfmon.patch
patching file policy/flask/access_vectors
patching file policy/flask/security_classes
# cat selinux-policy-perf-events-perfmon.patch
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
--- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
@@ -174,6 +174,7 @@
+ perfmon
@@ -1099,3 +1100,15 @@
class xdp_socket
inherits socket
+class perf_event
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
--- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
@@ -200,4 +200,6 @@
class xdp_socket
+class perf_event
4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:
# rpmbuild --noclean --noprep -ba selinux-policy.spec
so you have this:
# ls -alh rpmbuild/RPMS/noarch/
total 33M
drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
-rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
-rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
5. Install SELinux packages from Fedora repo, if not already done so, and
update with the patched rpms above:
# rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
6. Enable SELinux Permissive mode for Targeted policy, if not already done so:
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
7. Enable filesystem SELinux labeling at the next reboot:
# touch /.autorelabel
8. Reboot machine and it will label filesystems and load Targeted policy into the kernel;
9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem;
10. Check that SELinux is enabled and in Permissive mode
# getenforce
11. Turn SELinux into Enforcing mode:
# setenforce 1
# getenforce
Opening access to perf_event_open() syscall on Fedora with SELinux
Access to performance monitoring and observability operations by Perf
can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged
processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel
and prevent unauthorized access to perf_event_open() syscall. In such case
Perf tool provides a message similar to the one below:
# perf stat
Access to performance monitoring and observability operations is limited.
Enforced MAC policy settings (SELinux) can limit access to performance
monitoring and observability operations. Inspect system audit records for
more perf_event access control information and adjusting the policy.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for users
without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
perf_event_paranoid setting is -1:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
To make sure that access is limited by MAC policy settings inspect system
audit records using journalctl command or /var/log/audit/audit.log so the
output would contain AVC denied records related to perf_event:
# journalctl --reverse --no-pager | grep perf_event
python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t.
If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default.
setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de
audit[1318098]: AVC avc: denied { open } for pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0
In order to open access to perf_event_open() syscall MAC policy settings can
require to be extended. On SELinux system this can be done by loading a special
policy module extending base policy settings. Perf related policy module can
be generated using the system audit records about blocking perf_event access.
Run the command below to generate my-perf.te policy extension file with
perf_event related rules:
# ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te
module my-perf 1.0;
require {
type unconfined_t;
class perf_event { cpu kernel open read tracepoint write };
#============= unconfined_t ==============
allow unconfined_t self:perf_event { cpu kernel open read tracepoint write };
Now compile, pack and load my-perf.pp extension module into the kernel:
# checkmodule -M -m -o my-perf.mod my-perf.te
# semodule_package -o my-perf.pp -m my-perf.mod
# semodule -X 300 -i my-perf.pp
After all those taken steps above access to perf_event_open() syscall should
now be allowed by the policy settings. Check access running Perf like this:
# perf stat
Performance counter stats for 'system wide':
36,387.41 msec cpu-clock # 7.999 CPUs utilized
2,629 context-switches # 0.072 K/sec
57 cpu-migrations # 0.002 K/sec
1 page-faults # 0.000 K/sec
263,721,559 cycles # 0.007 GHz
175,746,713 instructions # 0.67 insn per cycle
19,628,798 branches # 0.539 M/sec
1,259,201 branch-misses # 6.42% of all branches
4.549061439 seconds time elapsed
The generated perf-event.pp related policy extension module can be removed
from the kernel using this command:
# semodule -X 300 -r my-perf
Alternatively the module can be temporarily disabled and enabled back using
these two commands:
# semodule -d my-perf
# semodule -e my-perf
If something went wrong
To turn SELinux into Permissive mode:
# setenforce 0
To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0
To remove SELinux labeling from local filesystems:
# find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot;