From 34b637f5f71e76a6f26e255c0a9a4867e5faba5c Mon Sep 17 00:00:00 2001 From: Michael Panzlaff Date: Fri, 8 Nov 2024 17:04:14 +0100 Subject: [PATCH] Update doc regarding setcap and permissions --- INSTALL | 18 ++++++++++++++++++ doc/likwid-doxygen.md | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 2c8756be3..fb8760a0c 100644 --- a/INSTALL +++ b/INSTALL @@ -146,6 +146,24 @@ on the executables. Not all file systems support capabilities. The only feasable way is to register the likwid-accessD and proxy all access over it. +If you want to avoid the suid-root likwid-accessD, it is still possible to use +direct mode access for normal users. Set the capabilities on the LIKWID binaries +as described above and additionally assign rw file permissions to the user on +/dev/cpu/*/msr (with groups, ACLs, etc.). However, beware of the security risk. + +In case access to MSRs is still not possible, you can additionally set +cap_dac_override. Please be aware that this poses a severe security risk, since +it allows accessD (accessdaemon mode) or one of the LIKWID binaries (direct mode) +to read and write all files on the system. This is easily exploitable to become +root. Do not do this unless you know what you are doing. + +Notes regarding Intel Sapphire Rapids (and possibly newer) CPUs: +In order to support Uncore Discovery, LIKWID needs read and write access to +/dev/mem. If required, set the capabilities the same way as you do for MSR device +files. Please be reminded that user access to /dev/mem leaves the door open for +anyone who wants to exploit the system. Accordingly, the usage of accessD with +suid-root is highly recommended. + Update for Linux kernel 5.9 and newer: With Linux 5.9, the msr kernel module got some security fixes. The major change for LIKWID is, that now all MSR are non-writable by default. In order to change that, you have to change the boot options of your operating system to contain msr.allow_writes=on to enable writes again. This affects only ACCESSMODE=direct and ACCESSMODE=accessdaemon. If you use the perf_event backend, you don't have to change anything. diff --git a/doc/likwid-doxygen.md b/doc/likwid-doxygen.md index 657e8d6a4..8714ee315 100644 --- a/doc/likwid-doxygen.md +++ b/doc/likwid-doxygen.md @@ -272,7 +272,7 @@ Some newer kernels implement the so-called capabilities, a fine-grained permissi sudo setcap cap_sys_rawio+ep EXECUTABLE -This is only possible on local file systems. A feasible way is to use the \ref likwid-accessD for all accesses and just enable the capabilities for this one binary. This will enable the usage for all LIKWID tools and also for all instrumented binaries. If \ref likwid-perfctr utility should only be used in wrapper mode, it is suitable to set the capabilities for \ref likwid-perfctr only. Please remember to set the file permission of the MSR device files to read/write for all users, even if capabilites are configured correctly. +This is only possible on local file systems. A feasible way is to use the \ref likwid-accessD for all accesses and just enable the capabilities for this one binary. This will enable the usage for all LIKWID tools and also for all instrumented binaries. If \ref likwid-perfctr utility should only be used in wrapper mode, it is suitable to set the capabilities for \ref likwid-perfctr only. If \ref likwid-accessD is not used or not suid-root, you also need to setup file permissions. Required files are /dev/cpu/*/msr and /dev/mem (physical memory only needed for Uncore Discovery). Be aware of the security risk when giving those permissions to regular users. \subsection accessD Installation on ARM- and POWER-based systems ARM support was added in January. The main switch is the COMPILER setting in config.mk. There are two possibilities: GCCARMv7 and GCCARMv8. For build flags changes, please use the appropriate file make/include_<COMPILER>.mk. The backend for ARM is perf_event. There is a native backend as well but it is currently not usable as the user would need to measure multiple times per second to catch all register overflows. As soon as LIKWID starts a management thread to read the registers in the background, I will publish this backend as well.