[PATCH v2 0/4] perf: make Perf tool aware of SELinux access control

Alexey Budankov alexey.budankov at linux.intel.com
Wed Apr 22 14:40:15 UTC 2020

Changes in v2:
- implemented minor doc and code changes to substitute CAP_SYS_ADMIN
  with CAP_PERFMON capability;
- introduced Perf doc file with instructions on how to enable and use
  perf_event LSM hooks for mandatory access control to perf_event_open()

v1: https://lore.kernel.org/lkml/b8a0669e-36e4-a0e8-fd35-3dbd890d2170@linux.intel.com/

repo: git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux.git perf/core
sha1: ee097e8ee56f8867cbbf45fe2a06f6b9e660c39c

Extend Perf tool with the check of /sys/fs/selinux/enforce value and notify 
in case access to perf_event_open() syscall is restricted by the enforced 
SELinux policy settings. See new added security.txt file for exact steps
how the changes look like and how to test the patch set.

Alexey Budankov (4):
  perf trace: substitute CAP_SYS_ADMIN with CAP_PERFMON in error message
  perf docs: substitute CAP_SYS_ADMIN with CAP_PERFMON where needed
  perf tool: make Perf tool aware of SELinux access control
  perf docs: introduce security.txt file to document related issues

 tools/perf/Documentation/perf-intel-pt.txt |   2 +-
 tools/perf/Documentation/security.txt      | 236 +++++++++++++++++++++
 tools/perf/builtin-ftrace.c                |   2 +-
 tools/perf/design.txt                      |   3 +-
 tools/perf/util/cloexec.c                  |   4 +-
 tools/perf/util/evsel.c                    |  40 ++--
 6 files changed, 265 insertions(+), 22 deletions(-)
 create mode 100644 tools/perf/Documentation/security.txt


More information about the Linux-security-module-archive mailing list