[tip: perf/core] perf/core: open access to probes for CAP_PERFMON privileged process

tip-bot2 for Alexey Budankov tip-bot2 at linutronix.de
Wed Apr 22 12:17:36 UTC 2020


The following commit has been merged into the perf/core branch of tip:

Commit-ID:     c9e0924e5c2b59365f9c0d43ff8722e79ecf4088
Gitweb:        https://git.kernel.org/tip/c9e0924e5c2b59365f9c0d43ff8722e79ecf4088
Author:        Alexey Budankov <alexey.budankov at linux.intel.com>
AuthorDate:    Thu, 02 Apr 2020 11:47:01 +03:00
Committer:     Arnaldo Carvalho de Melo <acme at redhat.com>
CommitterDate: Thu, 16 Apr 2020 12:19:08 -03:00

perf/core: open access to probes for CAP_PERFMON privileged process

Open access to monitoring via kprobes and uprobes and eBPF tracing for
CAP_PERFMON privileged process. Providing the access under CAP_PERFMON
capability singly, without the rest of CAP_SYS_ADMIN credentials,
excludes chances to misuse the credentials and makes operation more
secure.

perf kprobes and uprobes are used by ftrace and eBPF. perf probe uses
ftrace to define new kprobe events, and those events are treated as
tracepoint events. eBPF defines new probes via perf_event_open interface
and then the probes are used in eBPF tracing.

CAP_PERFMON implements the principle of least privilege for performance
monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39
principle of least privilege: A security design principle that states
that a process or program be granted only those privileges (e.g.,
capabilities) necessary to accomplish its legitimate function, and only
for the time that such privileges are actually required)

For backward compatibility reasons access to perf_events subsystem
remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN
usage for secure perf_events monitoring is discouraged with respect to
CAP_PERFMON capability.

Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
Reviewed-by: James Morris <jamorris at linux.microsoft.com>
Tested-by: Arnaldo Carvalho de Melo <acme at redhat.com>
Cc: Alexei Starovoitov <ast at kernel.org>
Cc: Andi Kleen <ak at linux.intel.com>
Cc: Igor Lubashev <ilubashe at akamai.com>
Cc: Jiri Olsa <jolsa at redhat.com>
Cc: Namhyung Kim <namhyung at kernel.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Serge Hallyn <serge at hallyn.com>
Cc: Song Liu <songliubraving at fb.com>
Cc: Stephane Eranian <eranian at google.com>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: intel-gfx at lists.freedesktop.org
Cc: linux-doc at vger.kernel.org
Cc: linux-security-module at vger.kernel.org
Cc: selinux at vger.kernel.org
Cc: linux-man at vger.kernel.org
Link: http://lore.kernel.org/lkml/3c129d9a-ba8a-3483-ecc5-ad6c8e7c203f@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
---
 kernel/events/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 74025b7..52951e9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9397,7 +9397,7 @@ static int perf_kprobe_event_init(struct perf_event *event)
 	if (event->attr.type != perf_kprobe.type)
 		return -ENOENT;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!perfmon_capable())
 		return -EACCES;
 
 	/*
@@ -9457,7 +9457,7 @@ static int perf_uprobe_event_init(struct perf_event *event)
 	if (event->attr.type != perf_uprobe.type)
 		return -ENOENT;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!perfmon_capable())
 		return -EACCES;
 
 	/*



More information about the Linux-security-module-archive mailing list