[PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information
Alexey Budankov
alexey.budankov at linux.intel.com
Sun Apr 5 14:41:48 UTC 2020
On 05.04.2020 17:10, Arnaldo Carvalho de Melo wrote:
> Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu:
>>
>> Update kernel.rst documentation file with the information
>> related to usage of CAP_PERFMON capability to secure performance
>> monitoring and observability operations in system.
>
> This one is failing in my perf/core branch, please take a look. I'm
Trying to reproduce right now. What kind of failure do you see?
Please share some specifics so I could follow up properly.
Thanks,
Alexey
> pushing my perf/core branch with this series applied, please check that
> everything is ok, I'll do some testing now, but it all seems ok.
>
> Thanks,
>
> - Arnaldo
>
>> Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
>> ---
>> Documentation/admin-guide/sysctl/kernel.rst | 16 +++++++++++-----
>> 1 file changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
>> index def074807cee..b06ae9389809 100644
>> --- a/Documentation/admin-guide/sysctl/kernel.rst
>> +++ b/Documentation/admin-guide/sysctl/kernel.rst
>> @@ -720,20 +720,26 @@ perf_event_paranoid:
>> ====================
>>
>> Controls use of the performance events system by unprivileged
>> -users (without CAP_SYS_ADMIN). The default value is 2.
>> +users (without CAP_PERFMON). The default value is 2.
>> +
>> +For backward compatibility reasons access to system performance
>> +monitoring and observability remains open for CAP_SYS_ADMIN
>> +privileged processes but CAP_SYS_ADMIN usage for secure system
>> +performance monitoring and observability operations is discouraged
>> +with respect to CAP_PERFMON use cases.
>>
>> === ==================================================================
>> -1 Allow use of (almost) all events by all users
>>
>> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>>
>> ->=0 Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
>> +>=0 Disallow ftrace function tracepoint by users without CAP_PERFMON
>>
>> - Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>> + Disallow raw tracepoint access by users without CAP_PERFMON
>>
>> ->=1 Disallow CPU event access by users without CAP_SYS_ADMIN
>> +>=1 Disallow CPU event access by users without CAP_PERFMON
>>
>> ->=2 Disallow kernel profiling by users without CAP_SYS_ADMIN
>> +>=2 Disallow kernel profiling by users without CAP_PERFMON
>> === ==================================================================
>>
>>
>> --
>> 2.24.1
>>
>
More information about the Linux-security-module-archive
mailing list