Problems with access on msr device files

[moebiusband]

Hi,

A demo for a root exploit involving the msr device files was published. As a consequence the security settings for access to the msr device files are tightened in recent kernels. The patches are back ported now in all major distros.

Just setting the file access rights or using suid root on the access daemon is not sufficient anymore. You have to register your binary now to get access.

This is done by calling (as root or with sudo)

setcap cap_sys_rawio+ep EXECUTABLE

on the executable. Unfortunately this is only possible on local file systems.

Jan

[Michael Werner]

If i register a binary it fails to load shared librarys. Any ideas how to fix this?

$icc hello.c -openmp

$./a.out 

Hello World 1

Hello World 0

Hello World 3

Hello World 2

$sudo setcap cap_sys_rawio+ep a.out 

$./a.out 

./a.out: error while loading shared libraries: libiomp5.so: cannot open shared object file: No such file or directory

hello.c:

#include <stdio.h>

#include <omp.h>

int main() {

    int i;

    #pragma omp parallel for

    for(i=0;i<4;i++) { 

        printf("Hello World %d\n",i);

    }

    return 0;

}

[moebiusband]

Hi Michael,

first of all only do set the capabilities if the standard solution does not work. If you have to use it the only convenient way to enable this while using marker API is by accessing the MSR register via the access daemon. Then you only need to set capabilities once on the access daemon.

You should have no further problems with you binaries.

Otherwise you would need to set it on every binary you use Marker API with, which is not feasible.

Does this solve your problem?

Jan

[Thomas Röhl]

Hi,

I added a blog post which analyzes the setuid root and capability options for the likwid-accessD and the new likwid-setFreq daemon. Maybe it is interesting for you:

http://likwid-tools.blogspot.de/2014/06/likwid-capabilities-system-and-setuid.html

Greetings,
Thomas