[PATCH v3 0/3] perf: make Perf tool aware of SELinux access control

Alexey Budankov alexey.budankov at linux.intel.com
Fri Apr 24 06:45:39 UTC 2020

Changes in v3:
- mention "CAP_PERFMON or CAP_SYS_ADMIN" instead of sole CAP_PERFMON or 
  CAP_SYS_ADMIN capability in the docs and messages to support use case
  of newer Perf tool on kernel w/o CAP_PERFMON
- reverted double new line in "No permission to enable %s event.\n\n"
- updated security.txt content with new messages wording

v2: https://lore.kernel.org/lkml/66f2975b-4a69-b428-7dc5-d9aa40b3c673@linux.intel.com/

Changes in v2:
- implemented minor doc and code changes to substitute CAP_SYS_ADMIN
  with CAP_PERFMON capability;
- introduced Perf doc file with instructions on how to enable and use
  perf_event LSM hooks for mandatory access control to perf_event_open()

v1: https://lore.kernel.org/lkml/b8a0669e-36e4-a0e8-fd35-3dbd890d2170@linux.intel.com/

repo: git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux.git perf/core
sha1: ee097e8ee56f8867cbbf45fe2a06f6b9e660c39c

Extend Perf tool with the check of /sys/fs/selinux/enforce value and notify 
in case access to perf_event_open() syscall is restricted by the enforced 
SELinux policy settings. See new added security.txt file for exact steps
how the changes look like and how to test the patch set.

Alexey Budankov (3):
  perf docs: extend CAP_SYS_ADMIN with CAP_PERFMON where needed
  perf tool: make Perf tool aware of SELinux access control
  perf docs: introduce security.txt file to document related issues

 tools/perf/Documentation/perf-intel-pt.txt |   2 +-
 tools/perf/Documentation/security.txt      | 237 +++++++++++++++++++++
 tools/perf/util/cloexec.c                  |   4 +-
 tools/perf/util/evsel.c                    |  39 ++--
 4 files changed, 264 insertions(+), 18 deletions(-)
 create mode 100644 tools/perf/Documentation/security.txt


More information about the Linux-security-module-archive mailing list