[PATCH v1 2/3] perf/core: apply CAP_SYS_PERFMON to CPUs and kernel monitoring

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
	elena.reshetova@intel.com,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>,
	Stephane Eranian <eranian@google.com>,
	Namhyung Kim <namhyung@kernel.org>,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [PATCH v1 2/3] perf/core: apply CAP_SYS_PERFMON to CPUs and kernel monitoring
Date: Thu, 5 Dec 2019 19:21:32 +0300	[thread overview]
Message-ID: <fdd428a9-1906-410c-99b0-c9568a72f320@linux.intel.com> (raw)
In-Reply-To: <283f09a5-33bd-eac3-bdfd-83d775045bf9@linux.intel.com>


Enable CAP_SYS_PERFMON privileged process with secure performance monitoring
of available online CPUs, when executing code in kernel and user modes.

For backward compatibility reasons performance monitoring functionality of 
perf_events subsystem remains available under CAP_SYS_ADMIN but its usage for
secure performance monitoring use cases is discouraged with respect to the
introduced CAP_SYS_PERFMON capability.

Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
 include/linux/perf_event.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 34c7c6910026..e8dc8411de9a 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)
 
 static inline int perf_allow_kernel(struct perf_event_attr *attr)
 {
-	if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 1 &&
+	   !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
 		return -EACCES;
 
 	return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
@@ -1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct perf_event_attr *attr)
 
 static inline int perf_allow_cpu(struct perf_event_attr *attr)
 {
-	if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 0 &&
+	    !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
 		return -EACCES;
 
 	return security_perf_event_open(attr, PERF_SECURITY_CPU);
-- 
2.20.1

next prev parent reply	other threads:[~2019-12-05 16:21 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 16:15 [PATCH v1 0/3] Introduce CAP_SYS_PERFMON capability for secure Perf users groups Alexey Budankov
2019-12-05 16:19 ` [PATCH v1 1/3] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
2019-12-05 16:21 ` Alexey Budankov [this message]
2019-12-05 16:22 ` [PATCH v1 3/3] perf tool: extend Perf tool with CAP_SYS_PERFMON support Alexey Budankov
2019-12-05 16:49 ` [PATCH v1 0/3] Introduce CAP_SYS_PERFMON capability for secure Perf users groups Casey Schaufler
2019-12-05 17:05   ` Alexey Budankov
2019-12-05 17:33     ` Casey Schaufler
2019-12-05 18:11       ` Andi Kleen
2019-12-05 18:37       ` Alexey Budankov
2019-12-11 10:52       ` Alexey Budankov
2019-12-11 15:24         ` Peter Zijlstra
2019-12-11 17:00           ` Alexey Budankov
2019-12-11 18:09         ` Casey Schaufler
2019-12-11 20:36           ` Andi Kleen
2019-12-11 21:25             ` Casey Schaufler
2019-12-12 14:24             ` Stephen Smalley
2019-12-15 11:53               ` Alexey Budankov
2019-12-11 19:04       ` Stephane Eranian

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:34c7c691002 dfblob:e8dc8411de9 )
 OR (
bs:"[PATCH v1 2/3] perf/core: apply CAP_SYS_PERFMON to CPUs and kernel monitoring" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fdd428a9-1906-410c-99b0-c9568a72f320@linux.intel.com \
    --to=alexey.budankov@linux.intel.com \
    --cc=acme@kernel.org \
    --cc=ak@linux.intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=elena.reshetova@intel.com \
    --cc=eranian@google.com \
    --cc=jannh@google.com \
    --cc=jolsa@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).