From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 004CEC54FCF for ; Mon, 20 Apr 2020 11:54:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D422D2072B for ; Mon, 20 Apr 2020 11:54:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587383644; bh=+xEoiGPexvXw2sKFmZsWTCkSb2u7zsmlJFePteV0FYE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=frE+Ke3lAOa91J6AE4m5fk93NO/j2pSRSYj+JlXviSZXa9RwnUW+PiIfp9ETdEMtX 2l5vgyzmrBVycX2IQrP8pZXJ+eKiRpR/CWbxB6PnoFGb4kSSwvwxKqdYvOcjTSNt5Z FvaozhqTxwnLe3KethNq5H3TRnT1yu1o13T4Vhrk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726655AbgDTLyA (ORCPT ); Mon, 20 Apr 2020 07:54:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:37386 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725886AbgDTLyA (ORCPT ); Mon, 20 Apr 2020 07:54:00 -0400 Received: from quaco.ghostprotocols.net (unknown [179.97.37.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 87015214AF; Mon, 20 Apr 2020 11:53:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587383639; bh=+xEoiGPexvXw2sKFmZsWTCkSb2u7zsmlJFePteV0FYE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cuxBGSfRM4mRwroR4FIXEnNSGjpXChR/18QORf1aWO5Ws3tHERNUr2V8I9rGMPfTV 9Qg0223aE3K1su8NJ0dtffFB+M/XgJ4IJPHFvutrKex5xDUZOQ9S4Ed61HkCr7WdfY OrYbuTChIvtETvHspP58GF4PXceYL9cN2mv2ihrY= From: Arnaldo Carvalho de Melo To: Ingo Molnar , Thomas Gleixner Cc: Jiri Olsa , Namhyung Kim , Clark Williams , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Alexey Budankov , James Morris , Arnaldo Carvalho de Melo , Alexei Starovoitov , Andi Kleen , Igor Lubashev , Jiri Olsa , Peter Zijlstra , Serge Hallyn , Song Liu , Stephane Eranian , intel-gfx@lists.freedesktop.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-man@vger.kernel.org Subject: [PATCH 07/60] perf/core: open access to probes for CAP_PERFMON privileged process Date: Mon, 20 Apr 2020 08:52:23 -0300 Message-Id: <20200420115316.18781-8-acme@kernel.org> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200420115316.18781-1-acme@kernel.org> References: <20200420115316.18781-1-acme@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-man-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-man@vger.kernel.org From: Alexey Budankov Open access to monitoring via kprobes and uprobes and eBPF tracing for CAP_PERFMON privileged process. Providing the access under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes operation more secure. perf kprobes and uprobes are used by ftrace and eBPF. perf probe uses ftrace to define new kprobe events, and those events are treated as tracepoint events. eBPF defines new probes via perf_event_open interface and then the probes are used in eBPF tracing. CAP_PERFMON implements the principle of least privilege for performance monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle of least privilege: A security design principle that states that a process or program be granted only those privileges (e.g., capabilities) necessary to accomplish its legitimate function, and only for the time that such privileges are actually required) For backward compatibility reasons access to perf_events subsystem remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure perf_events monitoring is discouraged with respect to CAP_PERFMON capability. Signed-off-by: Alexey Budankov Reviewed-by: James Morris Tested-by: Arnaldo Carvalho de Melo Cc: Alexei Starovoitov Cc: Andi Kleen Cc: Igor Lubashev Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Serge Hallyn Cc: Song Liu Cc: Stephane Eranian Cc: Thomas Gleixner Cc: intel-gfx@lists.freedesktop.org Cc: linux-doc@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: selinux@vger.kernel.org Cc: linux-man@vger.kernel.org Link: http://lore.kernel.org/lkml/3c129d9a-ba8a-3483-ecc5-ad6c8e7c203f@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo --- kernel/events/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 74025b7b83a0..52951e9e8e1b 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -9397,7 +9397,7 @@ static int perf_kprobe_event_init(struct perf_event *event) if (event->attr.type != perf_kprobe.type) return -ENOENT; - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EACCES; /* @@ -9457,7 +9457,7 @@ static int perf_uprobe_event_init(struct perf_event *event) if (event->attr.type != perf_uprobe.type) return -ENOENT; - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EACCES; /* -- 2.21.1