4

I want to exploit capabilities to run some tests with perf, without running commands as root and without tweaking /proc/sys/kernel/perf_event_paranoid. Some error messages of perf says:

You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_SYS_ADMIN).
The current value is 2:
-1: Allow use of (almost) all events by all users
>= 0: Disallow raw tracepoint access by users without CAP_IPC_LOCK
>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN

so i tried created some bash script with the same source but different sets of capabilities in the following way:

wrapper_no_cap.sh -> no capabilities set
wrapper_cap_ipc_lock.sh -> setcap cap_ipc_lock+eip ./wrapper_cap_ipc_lock.sh
wrapper_cap_sys_admin.sh -> setcap cap_sys_admin+eip ./wrapper_cap_sys_admin.sh

Every script has the same source, which is the following:

#!/bin/bash
perf stat -e L1-dcache-load-misses:k seq 1 10

But every script i run gives me the result as if i were a regular user (which means i cannot count kernel events or other privileged stuff). It's like capabilities are discarded when i call the script. perf version is 4.11.ga351e9.

What is wrong with this method?

fusiled
  • 199
  • 2
  • 10
  • For suid bit bash often purposely disables it on start (disabled by bash `-p` option - https://www.gnu.org/software/bash/manual/bash.html "Invoked with unequal effective and real UID/GIDs"), but not do this for capabilities. It may be done by kernel (https://unix.stackexchange.com/questions/87348/capabilities-for-a-script-on-linux https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts). How exactly did you start script: "`./script`" "`source script`" or "`bash ./script`"? Try to write small C program to start `perf` with execve and use setuid on it. – osgx May 20 '17 at 03:33
  • @osgx i used shebang (`./script`). As pointed out by you and on the internet (and also here: https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts?noredirect=1&lq=1), capability inheritance seems to be filtered out by interpreters. I figured out a turnaround thanks to your suggestion regarding the C program. – fusiled May 22 '17 at 14:04

2 Answers2

2

Script files often have their suid bit disabled (both in kernel and in some shell interpreters), seems there is similar effect on capabilities (and script files are actually started using interpreters like bash ./scriptfile, so capabilities from the script file may not be inherited by the process):

Use small simple compiled program to call perf with exec/execve and set capabilities on binary ELF.

Actual code in Linux kernel for script starting - http://elixir.free-electrons.com/linux/v4.10/source/fs/binfmt_script.c - uses interpreter binary file, not the script file (old bprm->file), to get permissions like suid

/*
 * OK, now restart the process with the interpreter's dentry.
 */
file = open_exec(interp);
if (IS_ERR(file))
    return PTR_ERR(file);

bprm->file = file;
retval = prepare_binprm(bprm);

http://elixir.free-electrons.com/linux/v4.10/source/fs/exec.c#L1512

/*
 * Fill the binprm structure from the inode.
 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
 *
 * This may be called multiple times for binary chains (scripts for example).
 */
int prepare_binprm(struct linux_binprm *bprm)
{
    int retval;

    bprm_fill_uid(bprm);

    /* fill in binprm security blob */
    retval = security_bprm_set_creds(bprm);
    if (retval)
        return retval;
    bprm->cred_prepared = 1;
  ...

static void bprm_fill_uid(struct linux_binprm *bprm)
{
    /* Be careful if suid/sgid is set */
    inode_lock(inode);

    /* reload atomically mode/uid/gid now that lock held */
    mode = inode->i_mode;
    uid = inode->i_uid;
    gid = inode->i_gid;
...
osgx
  • 90,338
  • 53
  • 357
  • 513
1

I figured out a turnaround taking advantage @osgx suggestion.

I wrote this small C program which wraps perf. Here it is:

#include <unistd.h>
#include <stdio.h>
#include <sys/capability.h>

#define MY_CAPABILIY "cap_sys_admin+eip"

int main(int argc, char * argv[], char * envp[])
{
    cap_t old_cap=cap_get_proc(); //save current capabilities
    //getting MY_CAPABILITY associated struct
    cap_t csa = cap_from_text(MY_CAPABILIY);  
    //set capabilities
    if(cap_set_proc(csa)<0) fprintf(stderr,"cannot set %s\n",MY_CAPABILIY);
    execve("/usr/bin/perf",argv,envp);     //exec perf 
    //restore capabilties
    if(cap_set_proc(old_cap)<0) fprintf(stderr, "Error on capability restore\n" );
    return 0;
}

Let's call the executable generated from the code above perf_wrapper. It is compiled with libcap (add the option -lcap to gcc). The executable simply set MY_CAPABILITY as the capability of the process and then runs perf (or other commands). But this is not sufficient to run perf with CAP_SYS_ADMIN because the executable of perf does not have any capability. To let the things work it is also required to add some capabilities to the perf executable.

The steps are the following:

  1. sudo setcap cap_sys_admin+ei /usr/bin/perf , This sets perf capabilities of CAP_SYS_ADMIN to effective and inheritable (also setting permitted won't allow normal users to run perf without capabilities).
  2. sudo setcap cap_sys_admin+eip perf_wrapperset the capability of perf_wrapper

Now it is possible to use perf with CAP_SYS_ADMIN by executing perf_wrapper and passing params just like perf in normal bash scripts.

NOTE: i am not an expert of capabilities. I hope that i didn't do big security mistakes.

osgx
  • 90,338
  • 53
  • 357
  • 513
fusiled
  • 199
  • 2
  • 10
  • Check the perf "executable" with `file \`which perf\`` - `/usr/bin/perf` can be script too. Changing capability on `/usr/bin/perf` file sounds wrong. – osgx May 22 '17 at 14:26
  • I wasn't sure about this, but `which perf ` returns `/usr/bin/perf`. – fusiled May 22 '17 at 14:42
  • And what returns command `file /usr/bin/perf` (and also check `less /usr/bin/perf`). In ubuntu this is script. – osgx May 22 '17 at 14:59
  • 2
    `/usr/bin/perf` returns: `/usr/bin/perf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=23fb95b8897399ebefa32ec95fb8ef605833cbea, not stripped, with debug_info`. If you open `/usr/bin/perf` with a text-editor is obviously an executable. I'm using arch-linux. I'm quite sure that it is the perf executable. – fusiled May 22 '17 at 15:02