Thread (12 messages) 12 messages, 3 authors, 2019-12-16

Re: [PATCH v2 2/7] perf/core: open access for CAP_SYS_PERFMON privileged process

From: Alexey Budankov <hidden>
Date: 2019-12-16 17:08:50
Also in: bpf, intel-gfx, linux-perf-users, linux-security-module, lkml, selinux 

On 16.12.2019 19:12, Lubashev, Igor wrote:
On Mon, Dec 16, 2019 at 2:15 AM, Alexey Budankov [off-list ref] wrote:
quoted
Open access to perf_events monitoring for CAP_SYS_PERFMON privileged
processes.
For backward compatibility reasons access to perf_events subsystem remains
open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage
for secure perf_events monitoring is discouraged with respect to
CAP_SYS_PERFMON capability.

Signed-off-by: Alexey Budankov <redacted>
---
 include/linux/perf_event.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index
34c7c6910026..52313d2cc343 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1285,7 +1285,8 @@ static inline int perf_is_paranoid(void)

 static inline int perf_allow_kernel(struct perf_event_attr *attr)  {
-	if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 1 &&
+	   !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
 		return -EACCES;

 	return security_perf_event_open(attr, PERF_SECURITY_KERNEL); @@
-1293,7 +1294,8 @@ static inline int perf_allow_kernel(struct
perf_event_attr *attr)

 static inline int perf_allow_cpu(struct perf_event_attr *attr)  {
-	if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 0 &&
+	    !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
 		return -EACCES;

 	return security_perf_event_open(attr, PERF_SECURITY_CPU); @@ -
1301,7 +1303,8 @@ static inline int perf_allow_cpu(struct perf_event_attr
*attr)

 static inline int perf_allow_tracepoint(struct perf_event_attr *attr)  {
-	if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > -1 &&
+	    !(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)))
 		return -EPERM;

 	return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
--
2.20.1
Thanks.  I like the idea of CAP_SYS_PERFMON that does not require CAP_SYS_ADMIN.  It makes granting users ability to run perf a bit safer.

I see a lot of "(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN)" constructs now.  Maybe wrapping it in an " inline bool perfmon_capable()" defined somewhere (like in /include/linux/capability.h)?
Yes, it makes sense.

Thanks,
Alexey

- Igor
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help