• Joel Fernandes (Google)'s avatar
    perf_event: Add support for LSM and SELinux checks · da97e184
    Joel Fernandes (Google) authored
    In current mainline, the degree of access to perf_event_open(2) system
    call depends on the perf_event_paranoid sysctl.  This has a number of
    limitations:
    
    1. The sysctl is only a single value. Many types of accesses are controlled
       based on the single value thus making the control very limited and
       coarse grained.
    2. The sysctl is global, so if the sysctl is changed, then that means
       all processes get access to perf_event_open(2) opening the door to
       security issues.
    
    This patch adds LSM and SELinux access checking which will be used in
    Android to access perf_event_open(2) for the purposes of attaching BPF
    programs to tracepoints, perf profiling and other operations from
    userspace. These operations are intended for production systems.
    
    5 new LSM hooks are added:
    1. perf_event_open: This controls access during the perf_event_open(2)
       syscall itself. The hook is called from all the places that the
       perf_event_paranoid sysctl is checked to keep it consistent with the
       systctl. The hook gets passed a 'type' argument which controls CPU,
       kernel and tracepoint accesses (in this context, CPU, kernel and
       tracepoint have the same semantics as the perf_event_paranoid sysctl).
       Additionally, I added an 'open' type which is similar to
       perf_event_paranoid sysctl == 3 patch carried in Android and several other
       distros but was rejected in mainline [1] in 2016.
    
    2. perf_event_alloc: This allocates a new security object for the event
       which stores the current SID within the event. It will be useful when
       the perf event's FD is passed through IPC to another process which may
       try to read the FD. Appropriate security checks will limit access.
    
    3. perf_event_free: Called when the event is closed.
    
    4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
    
    5. perf_event_write: Called from the ioctl(2) syscalls for the event.
    
    [1] https://lwn.net/Articles/696240/
    
    Since Peter had suggest LSM hooks in 2016 [1], I am adding his
    Suggested-by tag below.
    
    To use this patch, we set the perf_event_paranoid sysctl to -1 and then
    apply selinux checking as appropriate (default deny everything, and then
    add policy rules to give access to domains that need it). In the future
    we can remove the perf_event_paranoid sysctl altogether.
    Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
    Co-developed-by: default avatarPeter Zijlstra <peterz@infradead.org>
    Signed-off-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Acked-by: default avatarJames Morris <jmorris@namei.org>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: rostedt@goodmis.org
    Cc: Yonghong Song <yhs@fb.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: jeffv@google.com
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Daniel Borkmann <daniel@iogearbox.net>
    Cc: primiano@google.com
    Cc: Song Liu <songliubraving@fb.com>
    Cc: rsavitski@google.com
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Matthew Garrett <matthewgarrett@google.com>
    Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
    da97e184
classmap.h 8 KB