From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Robert Richter <rric@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Igor Lubashev <ilubashe@akamai.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Song Liu <songliubraving@fb.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
linux-arm-kernel@lists.infradead.org, oprofile-list@lists.sf.net
Subject: [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Date: Wed, 18 Dec 2019 12:24:28 +0300 [thread overview]
Message-ID: <e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com> (raw)
In-Reply-To: <c0460c78-b1a6-b5f7-7119-d97e5998f308@linux.intel.com>
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 4 ++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Robert Richter <rric@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Igor Lubashev <ilubashe@akamai.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Song Liu <songliubraving@fb.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Date: Wed, 18 Dec 2019 12:24:28 +0300 [thread overview]
Message-ID: <e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com> (raw)
In-Reply-To: <c0460c78-b1a6-b5f7-7119-d97e5998f308@linux.intel.com>
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 4 ++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Robert Richter <rric@kernel.org>
Cc: Song Liu <songliubraving@fb.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Igor Lubashev <ilubashe@akamai.com>,
oprofile-list@lists.sf.net, Kees Cook <keescook@chromium.org>,
Jann Horn <jannh@google.com>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arm-kernel@lists.infradead.org,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Date: Wed, 18 Dec 2019 12:24:28 +0300 [thread overview]
Message-ID: <e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com> (raw)
In-Reply-To: <c0460c78-b1a6-b5f7-7119-d97e5998f308@linux.intel.com>
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 4 ++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Robert Richter <rric@kernel.org>
Cc: Song Liu <songliubraving@fb.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Igor Lubashev <ilubashe@akamai.com>,
oprofile-list@lists.sf.net, Kees Cook <keescook@chromium.org>,
Jann Horn <jannh@google.com>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arm-kernel@lists.infradead.org,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Date: Wed, 18 Dec 2019 12:24:28 +0300 [thread overview]
Message-ID: <e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com> (raw)
In-Reply-To: <c0460c78-b1a6-b5f7-7119-d97e5998f308@linux.intel.com>
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 4 ++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
"jani.nikula@linux.intel.com" <jani.nikula@linux.intel.com>,
"joonas.lahtinen@linux.intel.com"
<joonas.lahtinen@linux.intel.com>,
"rodrigo.vivi@intel.com" <rodrigo.vivi@intel.com>,
Alexei Starovoitov <ast@kernel.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"james.bottomley@hansenpartnership.com"
<james.bottomley@hansenpartnership.com>,
Serge Hallyn <serge@hallyn.com>, James Morris <jmorris@namei.org>,
Will Deacon <will.deacon@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Robert Richter <rric@kernel.org>
Cc: Song Liu <songliubraving@fb.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
Igor Lubashev <ilubashe@akamai.com>,
oprofile-list@lists.sf.net, Kees Cook <keescook@chromium.org>,
Jann Horn <jannh@google.com>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"intel-gfx@lists.freedesktop.org"
<intel-gfx@lists.freedesktop.org>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arm-kernel@lists.infradead.org,
"linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
"linux-perf-users@vger.kernel.org"
<linux-perf-users@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: [Intel-gfx] [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Date: Wed, 18 Dec 2019 12:24:28 +0300 [thread overview]
Message-ID: <e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com> (raw)
In-Reply-To: <c0460c78-b1a6-b5f7-7119-d97e5998f308@linux.intel.com>
Introduce CAP_SYS_PERFMON capability devoted to secure system performance
monitoring and observability operations so that CAP_SYS_PERFMON would
assist CAP_SYS_ADMIN capability in its governing role for perf_events,
i915_perf and other subsystems of the kernel.
CAP_SYS_PERFMON intends to harden system security and integrity during
system performance monitoring and observability operations by decreasing
attack surface that is available to CAP_SYS_ADMIN privileged processes.
CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
to system performance monitoring and observability operations and balance
amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
is overloaded; see Notes to kernel developers, below."
[1] http://man7.org/linux/man-pages/man7/capabilities.7.html
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
include/linux/capability.h | 4 ++++
include/uapi/linux/capability.h | 8 +++++++-
security/selinux/include/classmap.h | 4 ++--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index ecce0f43c73a..883c879baa4b 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -251,6 +251,10 @@ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
+static inline bool perfmon_capable(void)
+{
+ return capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN);
+}
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 240fdb9a60f6..98e03cc76c7c 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -366,8 +366,14 @@ struct vfs_ns_cap_data {
#define CAP_AUDIT_READ 37
+/*
+ * Allow system performance and observability privileged operations
+ * using perf_events, i915_perf and other kernel subsystems
+ */
+
+#define CAP_SYS_PERFMON 38
-#define CAP_LAST_CAP CAP_AUDIT_READ
+#define CAP_LAST_CAP CAP_SYS_PERFMON
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7db24855e12d..bae602c623b0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -27,9 +27,9 @@
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
- "wake_alarm", "block_suspend", "audit_read"
+ "wake_alarm", "block_suspend", "audit_read", "sys_perfmon"
-#if CAP_LAST_CAP > CAP_AUDIT_READ
+#if CAP_LAST_CAP > CAP_SYS_PERFMON
#error New capability defined, please update COMMON_CAP2_PERMS.
#endif
--
2.20.1
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2019-12-18 9:24 UTC|newest]
Thread overview: 148+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 9:16 [PATCH v4 0/7] Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability Alexey Budankov
2019-12-18 9:16 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:16 ` Alexey Budankov
2019-12-18 9:16 ` Alexey Budankov
2019-12-18 9:16 ` Alexey Budankov
2019-12-18 9:24 ` Alexey Budankov [this message]
2019-12-18 9:24 ` [Intel-gfx] [PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space Alexey Budankov
2019-12-18 9:24 ` Alexey Budankov
2019-12-18 9:24 ` Alexey Budankov
2019-12-18 9:24 ` Alexey Budankov
2019-12-18 19:56 ` Stephen Smalley
2019-12-18 19:56 ` [Intel-gfx] " Stephen Smalley
2019-12-18 19:56 ` Stephen Smalley
2019-12-18 19:56 ` Stephen Smalley
2019-12-18 19:56 ` Stephen Smalley
2019-12-28 3:53 ` Serge E. Hallyn
2019-12-28 3:53 ` [Intel-gfx] " Serge E. Hallyn
2019-12-28 3:53 ` Serge E. Hallyn
2019-12-28 3:53 ` Serge E. Hallyn
2020-01-13 20:25 ` Song Liu
2020-01-13 20:25 ` [Intel-gfx] " Song Liu
2020-01-13 20:25 ` Song Liu
2020-01-13 20:25 ` Song Liu
2019-12-18 9:25 ` [PATCH v4 2/9] perf/core: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
2019-12-18 9:25 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:25 ` Alexey Budankov
2019-12-18 9:25 ` Alexey Budankov
2019-12-18 9:25 ` Alexey Budankov
2020-01-08 16:07 ` Peter Zijlstra
2020-01-08 16:07 ` [Intel-gfx] " Peter Zijlstra
2020-01-08 16:07 ` Peter Zijlstra
2020-01-08 16:07 ` Peter Zijlstra
2020-01-08 16:07 ` Peter Zijlstra
2020-01-09 11:36 ` Alexey Budankov
2020-01-09 11:36 ` [Intel-gfx] " Alexey Budankov
2020-01-09 11:36 ` Alexey Budankov
2020-01-09 11:36 ` Alexey Budankov
2020-01-09 11:36 ` Alexey Budankov
2020-01-10 14:02 ` Peter Zijlstra
2020-01-10 14:02 ` [Intel-gfx] " Peter Zijlstra
2020-01-10 14:02 ` Peter Zijlstra
2020-01-10 14:02 ` Peter Zijlstra
2020-01-10 15:52 ` Masami Hiramatsu
2020-01-10 15:52 ` [Intel-gfx] " Masami Hiramatsu
2020-01-10 15:52 ` Masami Hiramatsu
2020-01-10 15:52 ` Masami Hiramatsu
2020-01-10 16:45 ` Arnaldo Carvalho de Melo
2020-01-10 16:45 ` [Intel-gfx] " Arnaldo Carvalho de Melo
2020-01-10 16:45 ` Arnaldo Carvalho de Melo
2020-01-10 16:45 ` Arnaldo Carvalho de Melo
2020-01-10 23:47 ` Masami Hiramatsu
2020-01-10 23:47 ` [Intel-gfx] " Masami Hiramatsu
2020-01-10 23:47 ` Masami Hiramatsu
2020-01-10 23:47 ` Masami Hiramatsu
2020-01-11 0:23 ` Song Liu
2020-01-11 0:23 ` [Intel-gfx] " Song Liu
2020-01-11 0:23 ` Song Liu
2020-01-11 0:23 ` Song Liu
2020-01-11 0:35 ` arnaldo.melo
2020-01-11 0:35 ` [Intel-gfx] " arnaldo.melo
2020-01-11 9:57 ` Alexey Budankov
2020-01-13 20:39 ` Song Liu
2020-01-14 3:25 ` Masami Hiramatsu
2020-01-14 5:17 ` Alexei Starovoitov
2020-01-14 9:47 ` Alexey Budankov
2020-01-14 18:06 ` Alexei Starovoitov
2020-01-14 18:50 ` Alexey Budankov
2020-01-15 1:52 ` Alexei Starovoitov
2020-01-15 5:15 ` Alexey Budankov
2020-04-01 20:50 ` Alexey Budankov
2020-04-03 13:55 ` Alexey Budankov
2020-04-03 13:56 ` Alexey Budankov
2020-01-15 9:45 ` Masami Hiramatsu
2020-01-15 12:11 ` Alexey Budankov
2020-01-14 12:04 ` Masami Hiramatsu
2020-01-12 1:44 ` Masami Hiramatsu
2020-01-12 1:44 ` [Intel-gfx] " Masami Hiramatsu
2020-01-12 1:44 ` Masami Hiramatsu
2020-01-10 16:41 ` Alexey Budankov
2020-01-10 16:41 ` [Intel-gfx] " Alexey Budankov
2020-01-10 16:41 ` Alexey Budankov
2020-01-10 16:41 ` Alexey Budankov
2020-01-10 17:34 ` Alexey Budankov
2020-01-10 17:34 ` [Intel-gfx] " Alexey Budankov
2020-01-10 17:34 ` Alexey Budankov
2020-01-10 17:34 ` Alexey Budankov
2020-04-01 20:49 ` Alexey Budankov
2020-04-03 14:28 ` Alexey Budankov
2019-12-18 9:26 ` [PATCH v4 3/9] perf tool: extend Perf tool with CAP_SYS_PERFMON capability support Alexey Budankov
2019-12-18 9:26 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:26 ` Alexey Budankov
2019-12-18 9:26 ` Alexey Budankov
2019-12-18 9:26 ` Alexey Budankov
2019-12-18 9:27 ` [PATCH v4 4/9] drm/i915/perf: open access for CAP_SYS_PERFMON privileged process Alexey Budankov
2019-12-18 9:27 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:27 ` Alexey Budankov
2019-12-18 9:27 ` Alexey Budankov
2019-12-18 9:27 ` Alexey Budankov
2019-12-19 9:10 ` Lionel Landwerlin
2019-12-19 9:10 ` [Intel-gfx] " Lionel Landwerlin
2019-12-19 9:10 ` Lionel Landwerlin
2019-12-19 9:10 ` Lionel Landwerlin
2019-12-19 9:10 ` Lionel Landwerlin
2019-12-18 9:28 ` [PATCH v4 5/9] trace/bpf_trace: " Alexey Budankov
2019-12-18 9:28 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2020-01-13 20:47 ` Song Liu
2020-01-13 20:47 ` [Intel-gfx] " Song Liu
2020-01-13 20:47 ` Song Liu
2020-01-13 20:47 ` Song Liu
2019-12-18 9:28 ` [PATCH v4 6/9] powerpc/perf: " Alexey Budankov
2019-12-18 9:28 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2019-12-18 9:28 ` Alexey Budankov
2019-12-18 9:29 ` [PATCH v4 7/9] parisc/perf: " Alexey Budankov
2019-12-18 9:29 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:29 ` Alexey Budankov
2019-12-18 9:29 ` Alexey Budankov
2019-12-18 9:29 ` Alexey Budankov
2020-01-27 8:52 ` Helge Deller
2020-01-27 8:52 ` [Intel-gfx] " Helge Deller
2020-01-27 8:52 ` Helge Deller
2020-01-27 8:52 ` Helge Deller
2020-01-27 8:52 ` Helge Deller
2019-12-18 9:30 ` [PATCH v4 8/9] drivers/perf: " Alexey Budankov
2019-12-18 9:30 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:30 ` Alexey Budankov
2019-12-18 9:30 ` Alexey Budankov
2019-12-18 9:30 ` Alexey Budankov
2020-01-17 10:51 ` Will Deacon
2020-01-17 10:51 ` [Intel-gfx] " Will Deacon
2020-01-17 10:51 ` Will Deacon
2020-01-17 10:51 ` Will Deacon
2020-01-17 21:33 ` Alexey Budankov
2020-01-17 21:33 ` [Intel-gfx] " Alexey Budankov
2020-01-17 21:33 ` Alexey Budankov
2020-01-17 21:33 ` Alexey Budankov
2020-01-18 18:48 ` Alexey Budankov
2020-01-18 18:48 ` Alexey Budankov
2019-12-18 9:31 ` [PATCH v4 9/9] drivers/oprofile: " Alexey Budankov
2019-12-18 9:31 ` [Intel-gfx] " Alexey Budankov
2019-12-18 9:31 ` Alexey Budankov
2019-12-18 9:31 ` Alexey Budankov
2019-12-18 9:31 ` Alexey Budankov
2019-12-18 10:11 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability (rev3) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e0cb2b8d-e964-bc23-bf80-58d7ac4ed6f1@linux.intel.com \
--to=alexey.budankov@linux.intel.com \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=ast@kernel.org \
--cc=benh@kernel.crashing.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=eranian@google.com \
--cc=ilubashe@akamai.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=james.bottomley@hansenpartnership.com \
--cc=jani.nikula@linux.intel.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=jolsa@redhat.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lionel.g.landwerlin@intel.com \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=namhyung@kernel.org \
--cc=oprofile-list@lists.sf.net \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=rodrigo.vivi@intel.com \
--cc=rric@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
--cc=tvrtko.ursulin@linux.intel.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.