tools/perf/Documentation/security.txt
Source file repositories/reference/linux-study-clean/tools/perf/Documentation/security.txt
File Facts
- System
- Linux kernel
- Corpus path
tools/perf/Documentation/security.txt- Extension
.txt- Size
- 9541 bytes
- Lines
- 238
- Domain
- Support Tooling And Documentation
- Bucket
- tools
- Inferred role
- Support Tooling And Documentation: documentation
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
Overview
========
For general security related questions of perf_event_open() syscall usage,
performance monitoring and observability operations by Perf see here:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
==============================================================================
LSM hooks for mandatory access control for perf_event_open() syscall can be
used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
Targeted policy with perf_event_open() access control capabilities:
1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
and install it so rpmbuild directory would exist in the current working directory:
# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
2. Get into rpmbuild/SPECS directory and unpack the source code:
# rpmbuild -bp selinux-policy.spec
3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
directory and apply it:
# patch -p1 < selinux-policy-perf-events-perfmon.patch
patching file policy/flask/access_vectors
patching file policy/flask/security_classes
# cat selinux-policy-perf-events-perfmon.patch
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
--- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
@@ -174,6 +174,7 @@
wake_alarm
block_suspend
audit_read
+ perfmon
}
#
@@ -1099,3 +1100,15 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
--- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
@@ -200,4 +200,6 @@
class xdp_socket
+class perf_event
+
# FLASK
4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:
Annotation
- Atlas domain: Support Tooling And Documentation / tools.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.