| Message ID | 6cdc10f2-31e5-6d71-7d71-c6b5250b74f1@linux.intel.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | c9e0924e5c2b59365f9c0d43ff8722e79ecf4088 |
| Headers | show |
| Series | Introduce CAP_PERFMON to secure system performance monitoring and observability | expand |
On Tue, 28 Jan 2020, Alexey Budankov wrote: > > Open access to monitoring via kprobes and uprobes and eBPF tracing for > CAP_PERFMON privileged process. Providing the access under CAP_PERFMON > capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes > chances to misuse the credentials and makes operation more secure. > > perf kprobes and uprobes are used by ftrace and eBPF. perf probe uses > ftrace to define new kprobe events, and those events are treated as > tracepoint events. eBPF defines new probes via perf_event_open interface > and then the probes are used in eBPF tracing. > > CAP_PERFMON implements the principal of least privilege for performance > monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle > of least privilege: A security design principle that states that a process or > program be granted only those privileges (e.g., capabilities) necessary to > accomplish its legitimate function, and only for the time that such privileges > are actually required) > > For backward compatibility reasons access to perf_events subsystem remains > open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for > secure perf_events monitoring is discouraged with respect to CAP_PERFMON > capability. > > Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> > --- > kernel/events/core.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Acked-by: James Morris <jamorris@linux.microsoft.com>
diff --git a/kernel/events/core.c b/kernel/events/core.c index d956c81bd310..c6453320ffea 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -9088,7 +9088,7 @@ static int perf_kprobe_event_init(struct perf_event *event) if (event->attr.type != perf_kprobe.type) return -ENOENT; - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EACCES; /* @@ -9148,7 +9148,7 @@ static int perf_uprobe_event_init(struct perf_event *event) if (event->attr.type != perf_uprobe.type) return -ENOENT; - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EACCES; /*
Open access to monitoring via kprobes and uprobes and eBPF tracing for CAP_PERFMON privileged process. Providing the access under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes operation more secure. perf kprobes and uprobes are used by ftrace and eBPF. perf probe uses ftrace to define new kprobe events, and those events are treated as tracepoint events. eBPF defines new probes via perf_event_open interface and then the probes are used in eBPF tracing. CAP_PERFMON implements the principal of least privilege for performance monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle of least privilege: A security design principle that states that a process or program be granted only those privileges (e.g., capabilities) necessary to accomplish its legitimate function, and only for the time that such privileges are actually required) For backward compatibility reasons access to perf_events subsystem remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure perf_events monitoring is discouraged with respect to CAP_PERFMON capability. Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> --- kernel/events/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)