[PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information

Arnaldo Carvalho de Melo arnaldo.melo at gmail.com
Sun Apr 5 14:10:29 UTC 2020


Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu:
> 
> Update kernel.rst documentation file with the information
> related to usage of CAP_PERFMON capability to secure performance
> monitoring and observability operations in system.

This one is failing in my perf/core branch, please take a look. I'm
pushing my perf/core branch with this series applied, please check that
everything is ok, I'll do some testing now, but it all seems ok.

Thanks,

- Arnaldo
 
> Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
> ---
>  Documentation/admin-guide/sysctl/kernel.rst | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
> index def074807cee..b06ae9389809 100644
> --- a/Documentation/admin-guide/sysctl/kernel.rst
> +++ b/Documentation/admin-guide/sysctl/kernel.rst
> @@ -720,20 +720,26 @@ perf_event_paranoid:
>  ====================
>  
>  Controls use of the performance events system by unprivileged
> -users (without CAP_SYS_ADMIN).  The default value is 2.
> +users (without CAP_PERFMON). The default value is 2.
> +
> +For backward compatibility reasons access to system performance
> +monitoring and observability remains open for CAP_SYS_ADMIN
> +privileged processes but CAP_SYS_ADMIN usage for secure system
> +performance monitoring and observability operations is discouraged
> +with respect to CAP_PERFMON use cases.
>  
>  ===  ==================================================================
>   -1  Allow use of (almost) all events by all users
>  
>       Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>  
> ->=0  Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
> +>=0  Disallow ftrace function tracepoint by users without CAP_PERFMON
>  
> -     Disallow raw tracepoint access by users without CAP_SYS_ADMIN
> +     Disallow raw tracepoint access by users without CAP_PERFMON
>  
> ->=1  Disallow CPU event access by users without CAP_SYS_ADMIN
> +>=1  Disallow CPU event access by users without CAP_PERFMON
>  
> ->=2  Disallow kernel profiling by users without CAP_SYS_ADMIN
> +>=2  Disallow kernel profiling by users without CAP_PERFMON
>  ===  ==================================================================
>  
>  
> -- 
> 2.24.1
> 

-- 

- Arnaldo



More information about the Linux-security-module-archive mailing list