Closed rfxn closed 7 years ago
Did you load the tpe module after install? The rpm set it to load at boot, but doesn't look like it loads at install time. Run this:
sudo modprobe tpe
The modprobe command should read in the config - if not, run this and then retry testing your features:
sudo sysctl -p /etc/sysctl.d/tpe.conf
If still not working, run the test suite (from the git repository) and let me know the output:
make clean test
The test assumes you have sudo permissions. It also unloads the module after it finishes.
Also I just noticed you have:
tpe.softmode = 1
The softmode makes all features permissable. Check your dmesg
or look in /var/log/messages
to see the denial of access to /proc/kallsyms. It won't log on the ps
denials.
After further poking it appears as though the behavior of tpe.softmode
has changed. In 1.1.0 when softmode = 1 the 'extras' features still operate as intended. However, in 2.x when softmode = 1, they do not.
I verified this on multiple el6 systems I have running 1.0.3 and 1.1.0 where softmode = 1 w/ extras also enabled and all work as intended (e.g: create test user, cant cat kallsysm, list kmods or list unowned processes).
When testing the same against 2.x, softmode = 1 is causing all 'extras' to not operate. Is this an intentional change?
Yes that was an intended change. Softmode was meant to not deny anything at all - so the extras working in softmode was a bug that was fixed in 2.0. Do you run this module just for the extras, and not tpe itself?
On shared systems I run it for just the extras, on more tightly controlled internal systems and/or PCI compliant ones, I more broadly leverage all TPE features.
It is a nice to have in high user count shared systems where the extra's make allot of sense.
How practical would it be to separate softmode into two sysctl knobs?
Such as: tpe.softmode tpe.extras.softmode
Or, an alternative approach: tpe.extras.softmode.ignore
Thoughts?
I can do a tpe.extras.ignore_softmode. I just pushed a commit to branch feature/ignore_softmode
that is, for now, a hard-coded ignore softmode. I'll merge it back to master after it's properly tiedied up.
Awesome, thank you. That will be super helpful to have as a mainline feature!
Feature added in db556100167b9f325d59cdb8892f378d75c5ff06
Also added tpe.extras.log
in 8ced8135d0b37a566e51aa40bc38d79037199955 so you can still log denied extras when normal tpe.log
is off.
I am not currently able to get tpe.extra features to work on el7 with the latest kernel (3.10.0-514.16.1.el7.x86_64) running tpe-lkm 2.0.1. I am using the elrepo kmod-tpe package and also tried the in-testing 2.0.2 version with no difference built by @pjperry a few days ago.
I even went as far as to rebuild the rpm manually against latest commit from the elrepo spec file and it made no difference. I am not sure if this is an issue with the spec and how elrepo rpm is built (@pjperry ) or if its a tpe-lkm issue directly (@cormander).
Testing has been conducted on two separate el7 sytems, one KVM based and one bare metal with same results.
All extra features are not working, that is to say all processes are visible for non-root users, lsmod can be run without issue, kallsyms can be cat'd and hide_uname makes no difference (when enabled).
Find below current sysctl values for TPE.