On 06.02.2020 21:30, Stephen Smalley wrote: > On 2/6/20 1:26 PM, Alexey Budankov wrote: >> >> On 06.02.2020 21:23, Stephen Smalley wrote: >>> On 2/5/20 12:30 PM, Alexey Budankov wrote: >>>> >>>> Introduce CAP_PERFMON capability designed to secure system performance >>>> monitoring and observability operations so that CAP_PERFMON would assist >>>> CAP_SYS_ADMIN capability in its governing role for performance monitoring >>>> and observability subsystems. >>>> >>>> CAP_PERFMON hardens system security and integrity during performance >>>> monitoring and observability operations by decreasing attack surface that >>>> is available to a CAP_SYS_ADMIN privileged process [2]. Providing the >>>> access >>>> to system performance monitoring and observability operations under >>>> CAP_PERFMON >>>> capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes >>>> chances to misuse the credentials and makes the operation more secure. >>>> Thus, CAP_PERFMON implements the principal of least privilege for >>>> performance >>>> monitoring and observability operations (POSIX IEEE 1003.1e: 2.2.2.39 >>>> principle >>>> of least privilege: A security design principle that states that a process >>>> or program be granted only those privileges (e.g., capabilities) necessary >>>> to accomplish its legitimate function, and only for the time that such >>>> privileges are actually required) >>>> >>>> CAP_PERFMON meets the demand to secure system performance monitoring and >>>> observability operations for adoption in security sensitive, restricted, >>>> multiuser production environments (e.g. HPC clusters, cloud and virtual >>>> compute >>>> environments), where root or CAP_SYS_ADMIN credentials are not available to >>>> mass users of a system, and securely unblocks accessibility of system >>>> performance monitoring and observability operations beyond root and >>>> CAP_SYS_ADMIN use cases. >>>> >>>> CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system >>>> performance >>>> monitoring and observability operations and balances amount of >>>> CAP_SYS_ADMIN >>>> credentials following the recommendations in the capabilities man page [1] >>>> for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to >>>> kernel >>>> developers, below." For backward compatibility reasons access to system >>>> performance monitoring and observability subsystems of the kernel remains >>>> open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN capability >>>> usage for secure system performance monitoring and observability operations >>>> is discouraged with respect to the designed CAP_PERFMON capability. >>>> >>>> Although the software running under CAP_PERFMON can not ensure avoidance >>>> of related hardware issues, the software can still mitigate these issues >>>> following the official hardware issues mitigation procedure [2]. The bugs >>>> in the software itself can be fixed following the standard kernel >>>> development >>>> process [3] to maintain and harden security of system performance >>>> monitoring >>>> and observability operations. >>>> >>>> [1] http://man7.org/linux/man-pages/man7/capabilities.7.html >>>> [2] >>>> https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html >>>> [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html >>>> >>>> Signed-off-by: Alexey Budankov <alexey.budan...@linux.intel.com> >>> >>> This will require a small update to the selinux-testsuite to correctly >>> reflect the new capability requirements, but that's easy enough. >> >> Is the suite a part of the kernel sources or something else? > > It is external, > https://github.com/SELinuxProject/selinux-testsuite > > I wasn't suggesting that your patch be blocked on updating the testsuite, > just noting that it will need to be done.
Ok. Thanks! ~Alexey
