@@ -366,8 +366,16 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow usage of perf_event_open() syscall (perf_events subsystem):
+ * http://man7.org/linux/man-pages/man2/perf_event_open.2.html
+ * beyond the scope permitted by perf_event_paranoid kernel setting.
+ * See Documentation/admin-guide/perf-security.rst for more information.
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
Introduce CAP_SYS_PERFMON capability dedicated to secure performance monitoring activity so that CAP_SYS_PERFMON would assist CAP_SYS_ADMIN capability in its governing role for perf_events based performance monitoring of a system. CAP_SYS_PERFMON aims to harden system security and integrity during performance monitoring by decreasing attack surface that is available to CAP_SYS_ADMIN privileged processes. CAP_SYS_PERFMON aims to take over CAP_SYS_ADMIN credentials related to performance monitoring functionality of perf_events and balance amount of CAP_SYS_ADMIN credentials in accordance with the recommendations provided in the man page for CAP_SYS_ADMIN [3]: "Note: this capability is overloaded; see Notes to kernel developers, below." Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> --- include/uapi/linux/capability.h | 10 +++++++++- security/selinux/include/classmap.h | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-)