tools/perf/Documentation/security.txt

Source file repositories/reference/linux-study-clean/tools/perf/Documentation/security.txt

File Facts

System
Linux kernel
Corpus path
tools/perf/Documentation/security.txt
Extension
.txt
Size
9541 bytes
Lines
238
Domain
Support Tooling And Documentation
Bucket
tools
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

Overview
========

For general security related questions of perf_event_open() syscall usage,
performance monitoring and observability operations by Perf see here:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html

Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
==============================================================================

LSM hooks for mandatory access control for perf_event_open() syscall can be
used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
Targeted policy with perf_event_open() access control capabilities:

1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
   and install it so rpmbuild directory would exist in the current working directory:

   # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm

2. Get into rpmbuild/SPECS directory and unpack the source code:

   # rpmbuild -bp selinux-policy.spec

3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
   directory and apply it:

   # patch -p1 < selinux-policy-perf-events-perfmon.patch
   patching file policy/flask/access_vectors
   patching file policy/flask/security_classes
   # cat selinux-policy-perf-events-perfmon.patch
diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
--- a/policy/flask/access_vectors	2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/access_vectors	2020-02-28 23:37:25.000000000 +0300
@@ -174,6 +174,7 @@
 	wake_alarm
 	block_suspend
 	audit_read
+	perfmon
 }
 
 #
@@ -1099,3 +1100,15 @@
 
 class xdp_socket
 inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}
+
+
diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
--- a/policy/flask/security_classes	2020-02-04 18:19:53.000000000 +0300
+++ b/policy/flask/security_classes	2020-02-28 21:35:17.000000000 +0300
@@ -200,4 +200,6 @@
 
 class xdp_socket
 
+class perf_event
+
 # FLASK

4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:

Annotation

Implementation Notes