16 Apr, 2020

1 commit

• 902a8dcc5   doc/admin-guide: Update perf-security.rst with CAP_PERFMON information ... Browse Code »

  Update perf-security.rst documentation file with the information
  related to usage of CAP_PERFMON capability to secure performance
  monitoring and observability operations in system.

  Committer notes:

  While testing 'perf top' under cap_perfmon I noticed that it needs
  some more capability and Alexey pointed out cap_ipc_lock, as needed by
  this kernel chunk:

  kernel/events/core.c: 6101
  if ((locked > lock_limit) && perf_is_paranoid() &&
  !capable(CAP_IPC_LOCK)) {
  ret = -EPERM;
  goto unlock;
  }

  So I added it to the documentation, and also mentioned that if the
  libcap version doesn't yet supports 'cap_perfmon', its numeric value can
  be used instead, i.e. if:

  # setcap "cap_perfmon,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf

  Fails, try:

  # setcap "38,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf

  I also added a paragraph stating that using an unpatched libcap will
  fail the check for CAP_PERFMON, as it checks the cap number against a
  maximum to see if it is valid, which makes it use as the default the
  'cycles:u' event, even tho a cap_perfmon capable perf binary can get
  kernel samples, to workaround that just use, e.g.:

  # perf top -e cycles
  # perf record -e cycles

  And it will sample kernel and user modes.

  Signed-off-by: Alexey Budankov
  Tested-by: Arnaldo Carvalho de Melo
  Cc: Alexei Starovoitov
  Cc: Andi Kleen
  Cc: Igor Lubashev
  Cc: James Morris
  Cc: Jiri Olsa
  Cc: Namhyung Kim
  Cc: Peter Zijlstra
  Cc: Serge Hallyn
  Cc: Song Liu
  Cc: Stephane Eranian
  Cc: Thomas Gleixner
  Cc: intel-gfx@lists.freedesktop.org
  Cc: linux-doc@vger.kernel.org
  Cc: linux-man@vger.kernel.org
  Cc: linux-security-module@vger.kernel.org
  Cc: selinux@vger.kernel.org
  Link: http://lore.kernel.org/lkml/17278551-9399-9ebe-d665-8827016a217d@linux.intel.com
  Signed-off-by: Arnaldo Carvalho de Melo

  Alexey Budankov

  2020-04-16 23:19:10 +0800  

18 Feb, 2019

4 commits

• e85a198e3   perf-security: wrap paragraphs on 72 columns ... Browse Code »

  Implemented formatting of paragraphs to be not wider than 72 columns.

  Signed-off-by: Alexey Budankov
  Signed-off-by: Jonathan Corbet

  Alexey Budankov

  2019-02-18 07:05:00 +0800  
• e152c7b7b   perf-security: elaborate on perf_events/Perf privileged users ... Browse Code »

  Elaborate on possible perf_event/Perf privileged users groups
  and document steps about creating such groups.

  Signed-off-by: Alexey Budankov
  Signed-off-by: Jonathan Corbet

  Alexey Budankov

  2019-02-18 07:04:56 +0800  
• 68570ca0b   perf-security: document collected perf_events/Perf data categories ... Browse Code »

  Document and categorize system and performance data into groups that
  can be captured by perf_events/Perf and explicitly indicate the group
  that can contain process sensitive data.

  Signed-off-by: Alexey Budankov
  Signed-off-by: Jonathan Corbet

  Alexey Budankov

  2019-02-18 07:04:51 +0800  
• 9d87bbae2   perf-security: document perf_events/Perf resource control ... Browse Code »

  Extend perf-security.rst file with perf_events/Perf resource control
  section describing RLIMIT_NOFILE and perf_event_mlock_kb settings for
  performance monitoring user processes.

  Signed-off-by: Alexey Budankov
  Signed-off-by: Jonathan Corbet

  Alexey Budankov

  2019-02-18 07:04:45 +0800  

07 Dec, 2018

1 commit

• 76e7fd843   Documentation/admin-guide: introduce perf-security.rst file ... Browse Code »

  Implement initial version of perf-security.rst documentation file
  covering security concerns of perf_event_paranoid settings.

  Suggested-by: Thomas Gleixner
  Signed-off-by: Alexey Budankov
  Reviewed-by: Kees Cook
  Signed-off-by: Jonathan Corbet

  Alexey Budankov

  2018-12-07 00:50:33 +0800