Re: [PATCH v4 5/9] trace/bpf_trace: open access for CAP_SYS_PERFMON privileged process
From: Song Liu <hidden>
Date: 2020-01-13 20:47:59
Also in:
intel-gfx, linux-perf-users, linuxppc-dev
On Dec 18, 2019, at 1:28 AM, Alexey Budankov [off-list ref] wrote: Open access to bpf_trace monitoring for CAP_SYS_PERFMON privileged processes. For backward compatibility reasons access to bpf_trace monitoring remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure bpf_trace monitoring is discouraged with respect to CAP_SYS_PERFMON capability. Signed-off-by: Alexey Budankov <redacted>
Acked-by: Song Liu <redacted>
quoted hunk ↗ jump to hunk
--- kernel/trace/bpf_trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 44bd08f2443b..bafe21ac6d92 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c@@ -1272,7 +1272,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)u32 *ids, prog_cnt, ids_len; int ret; - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EPERM; if (event->attr.type != PERF_TYPE_TRACEPOINT) return -EINVAL;
I guess we need to fix this check for kprobe/uprobe created with perf_event_open()... Thanks, Song _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel