[PATCH v1 0/3] Introduce CAP_SYS_PERFMON capability for secure Perf users groups

Peter Zijlstra peterz at infradead.org
Wed Dec 11 15:24:35 UTC 2019


On Wed, Dec 11, 2019 at 01:52:15PM +0300, Alexey Budankov wrote:
> Undoubtedly, SELinux is the powerful, mature, whole level of functionality that
> could provide benefits not only for perf_events subsystem. However perf_events
> is built around capabilities to provide access control to its functionality,
> thus perf_events would require considerable rework prior it could be controlled
> thru SELinux. 

You mean this:

  da97e18458fb ("perf_event: Add support for LSM and SELinux checks")

?

> Then the adoption could also require changes to the installed
> infrastructure just for the sake of adopting alternative access control mechanism.

This is still very much true.



More information about the Linux-security-module-archive mailing list