perf docs: Introduce security.txt file to document related issues

Overview

========

For general security related questions of perf_event_open() syscall usage,

performance monitoring and observability operations by Perf see here:

https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html

Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall

==============================================================================

LSM hooks for mandatory access control for perf_event_open() syscall can be

used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with

Targeted policy with perf_event_open() access control capabilities:

1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)

   and install it so rpmbuild directory would exist in the current working directory:

   # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm

2. Get into rpmbuild/SPECS directory and unpack the source code:

   # rpmbuild -bp selinux-policy.spec

3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02

   directory and apply it:

   # patch -p1 < selinux-policy-perf-events-perfmon.patch

   patching file policy/flask/access_vectors

   patching file policy/flask/security_classes

   # cat selinux-policy-perf-events-perfmon.patch

diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors

--- a/policy/flask/access_vectors	2020-02-04 18:19:53.000000000 +0300

+++ b/policy/flask/access_vectors	2020-02-28 23:37:25.000000000 +0300

@@ -174,6 +174,7 @@

 	wake_alarm

 	block_suspend

 	audit_read

+	perfmon

 }

 #

@@ -1099,3 +1100,15 @@

 class xdp_socket

 inherits socket

+

+class perf_event

+{

+	open

+	cpu

+	kernel

+	tracepoint

+	read

+	write

+}

+

+

diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes

--- a/policy/flask/security_classes	2020-02-04 18:19:53.000000000 +0300

+++ b/policy/flask/security_classes	2020-02-28 21:35:17.000000000 +0300

@@ -200,4 +200,6 @@

 class xdp_socket

+class perf_event

+

 # FLASK

4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:

   # rpmbuild --noclean --noprep -ba selinux-policy.spec

   so you have this:

   # ls -alh rpmbuild/RPMS/noarch/

   total 33M

   drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .

   drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..

   -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root  12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm

   -rw-r--r--. 1 root root  14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm

5. Install SELinux packages from Fedora repo, if not already done so, and

   update with the patched rpms above:

   # rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*

6. Enable SELinux Permissive mode for Targeted policy, if not already done so:

   # cat /etc/selinux/config

   # This file controls the state of SELinux on the system.

   # SELINUX= can take one of these three values:

   #     enforcing - SELinux security policy is enforced.

   #     permissive - SELinux prints warnings instead of enforcing.

   #     disabled - No SELinux policy is loaded.

   SELINUX=permissive

   # SELINUXTYPE= can take one of these three values:

   #     targeted - Targeted processes are protected,

   #     minimum - Modification of targeted policy. Only selected processes are protected.

   #     mls - Multi Level Security protection.

   SELINUXTYPE=targeted

7. Enable filesystem SELinux labeling at the next reboot:

   # touch /.autorelabel

8. Reboot machine and it will label filesystems and load Targeted policy into the kernel;

9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem;

10. Check that SELinux is enabled and in Permissive mode

    # getenforce

    Permissive

11. Turn SELinux into Enforcing mode:

    # setenforce 1

    # getenforce

    Enforcing

Opening access to perf_event_open() syscall on Fedora with SELinux

==================================================================

Access to performance monitoring and observability operations by Perf

can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged

processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel

and prevent unauthorized access to perf_event_open() syscall. In such case

Perf tool provides a message similar to the one below:

   # perf stat

   Error:

   Access to performance monitoring and observability operations is limited.

   Enforced MAC policy settings (SELinux) can limit access to performance

   monitoring and observability operations. Inspect system audit records for

   more perf_event access control information and adjusting the policy.

   Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open

   access to performance monitoring and observability operations for users

   without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.

   perf_event_paranoid setting is -1:

     -1: Allow use of (almost) all events by all users

         Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK

   >= 0: Disallow raw and ftrace function tracepoint access

   >= 1: Disallow CPU event access

   >= 2: Disallow kernel profiling

   To make the adjusted perf_event_paranoid setting permanent preserve it

   in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)

To make sure that access is limited by MAC policy settings inspect system

audit records using journalctl command or /var/log/audit/audit.log so the

output would contain AVC denied records related to perf_event:

   # journalctl --reverse --no-pager | grep perf_event

   python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t.

                                         If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default.

   setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de

   audit[1318098]: AVC avc:  denied  { open } for  pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0

In order to open access to perf_event_open() syscall MAC policy settings can

require to be extended. On SELinux system this can be done by loading a special

policy module extending base policy settings. Perf related policy module can

be generated using the system audit records about blocking perf_event access.

Run the command below to generate my-perf.te policy extension file with

perf_event related rules:

   # ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te

   module my-perf 1.0;

   require {

        type unconfined_t;

        class perf_event { cpu kernel open read tracepoint write };

   }

   #============= unconfined_t ==============

   allow unconfined_t self:perf_event { cpu kernel open read tracepoint write };

Now compile, pack and load my-perf.pp extension module into the kernel:

   # checkmodule -M -m -o my-perf.mod my-perf.te

   # semodule_package -o my-perf.pp -m my-perf.mod

   # semodule -X 300 -i my-perf.pp

After all those taken steps above access to perf_event_open() syscall should

now be allowed by the policy settings. Check access running Perf like this:

   # perf stat

   ^C

   Performance counter stats for 'system wide':

         36,387.41 msec cpu-clock                 #    7.999 CPUs utilized

             2,629      context-switches          #    0.072 K/sec

                57      cpu-migrations            #    0.002 K/sec

                 1      page-faults               #    0.000 K/sec

       263,721,559      cycles                    #    0.007 GHz

       175,746,713      instructions              #    0.67  insn per cycle

        19,628,798      branches                  #    0.539 M/sec

         1,259,201      branch-misses             #    6.42% of all branches

       4.549061439 seconds time elapsed

The generated perf-event.pp related policy extension module can be removed

from the kernel using this command:

   # semodule -X 300 -r my-perf

Alternatively the module can be temporarily disabled and enabled back using

these two commands:

   # semodule -d my-perf

   # semodule -e my-perf

If something went wrong

=======================

To turn SELinux into Permissive mode:

   # setenforce 0

To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0

To remove SELinux labeling from local filesystems:

   # find / -mount -print0 | xargs -0 setfattr -h -x security.selinux

To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot;

Links

=====

[1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm

[2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html

[3] https://danwalsh.livejournal.com/10972.html