[PATCH 06/26] perf/core: Open access to the core for CAP_PERFMON privileged process

Arnaldo Carvalho de Melo acme at kernel.org
Mon Apr 13 16:51:43 UTC 2020

From: Alexey Budankov <alexey.budankov at linux.intel.com>

Open access to monitoring of kernel code, CPUs, tracepoints and
namespaces data for a CAP_PERFMON privileged process. Providing the
access under CAP_PERFMON capability singly, without the rest of
CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials
and makes operation more secure.

CAP_PERFMON implements the principle of least privilege for performance
monitoring and observability operations (POSIX IEEE 1003.1e
principle of least privilege: A security design principle that states
that a process or program be granted only those privileges (e.g.,
capabilities) necessary to accomplish its legitimate function, and only
for the time that such privileges are actually required)

For backward compatibility reasons the access to perf_events subsystem
remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN
usage for secure perf_events monitoring is discouraged with respect to
CAP_PERFMON capability.

Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
Reviewed-by: James Morris <jamorris at linux.microsoft.com>
Tested-by: Arnaldo Carvalho de Melo <acme at redhat.com>
Cc: Alexei Starovoitov <ast at kernel.org>
Cc: Andi Kleen <ak at linux.intel.com>
Cc: Igor Lubashev <ilubashe at akamai.com>
Cc: Jiri Olsa <jolsa at redhat.com>
Cc: linux-man at vger.kernel.org
Cc: Namhyung Kim <namhyung at kernel.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Serge Hallyn <serge at hallyn.com>
Cc: Song Liu <songliubraving at fb.com>
Cc: Stephane Eranian <eranian at google.com>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: intel-gfx at lists.freedesktop.org
Cc: linux-doc at vger.kernel.org
Cc: linux-security-module at vger.kernel.org
Cc: selinux at vger.kernel.org
Link: http://lore.kernel.org/lkml/471acaef-bb8a-5ce2-923f-90606b78eef9@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
 include/linux/perf_event.h | 6 +++---
 kernel/events/core.c       | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 9c3e7619c929..87e21681759c 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1305,7 +1305,7 @@ static inline int perf_is_paranoid(void)
 static inline int perf_allow_kernel(struct perf_event_attr *attr)
-	if (sysctl_perf_event_paranoid > 1 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 1 && !perfmon_capable())
 		return -EACCES;
 	return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
@@ -1313,7 +1313,7 @@ static inline int perf_allow_kernel(struct perf_event_attr *attr)
 static inline int perf_allow_cpu(struct perf_event_attr *attr)
-	if (sysctl_perf_event_paranoid > 0 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > 0 && !perfmon_capable())
 		return -EACCES;
 	return security_perf_event_open(attr, PERF_SECURITY_CPU);
@@ -1321,7 +1321,7 @@ static inline int perf_allow_cpu(struct perf_event_attr *attr)
 static inline int perf_allow_tracepoint(struct perf_event_attr *attr)
-	if (sysctl_perf_event_paranoid > -1 && !capable(CAP_SYS_ADMIN))
+	if (sysctl_perf_event_paranoid > -1 && !perfmon_capable())
 		return -EPERM;
 	return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 1569979c8912..f9d564127e2e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11486,7 +11486,7 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (attr.namespaces) {
-		if (!capable(CAP_SYS_ADMIN))
+		if (!perfmon_capable())
 			return -EACCES;

More information about the Linux-security-module-archive mailing list