Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp60834ybl;
        Mon, 27 Jan 2020 22:10:56 -0800 (PST)
X-Google-Smtp-Source: APXvYqySrR9RR8XDsksb2OUgr31NHXHIjIIF8oLleALbL/mDhtKBuwMCDgas09aheJfVWbSI6Vz3
X-Received: by 2002:a9d:4d8d:: with SMTP id u13mr14699865otk.299.1580191855962;
        Mon, 27 Jan 2020 22:10:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1580191855; cv=none;
        d=google.com; s=arc-20160816;
        b=N2WSnoIvNLSm5Z0Rn3NG3KJDYd75Q8QO9mdgDaQ8ryH7RZmTMiJdBWEIBsqpe8Rs6B
         C98xvsInvHPHG6VuCs6Hl5eb7hViC475ULPbWbTXENTCtWx1H0QAg6Svljd40cQ4SX2o
         mkFjgoPcn+RG94HWnRybVJXoEguW1gAvxcQDTKA1Ept0VIAITb7vydxW/G3LG/uRxP95
         8dvgozp9S+33QHV5jZV8wjywQcSJ02JTmIOjMx1v5+CNe2NWNtKAeOOkdIVxoRLXmXIT
         rEnEJ7616nr7von910IsfZtfMQcrm46zhfPWn4mYq+f4xGG/pq7hG4nY94ZuAC5u3fSk
         N6lA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:references:cc:to:from:subject;
        bh=WKHoTInxkyFn7Oytb5grRr46VGcyoKCaAqUH4IhM6DI=;
        b=XcgjJzNlrcYVhX1OEKIcGvO/xB8NYsl73DJ2cBrou/vXDsAQF0vJrI3manDrhVv7MD
         9kPjEy6yQWxB8hpRocgg6cAJ4Gg6nPLGliQyTw49dltfKOhdwyAan6uuhK/8KRNSubCi
         YvggFcJ8NpEJTMpT85Jn5EsOcQ97ksPMZfpocE+KdOJPk0Rs39jvyVHQGOcErU/fhbkH
         TaQdaYeGQW0Jhwd3hhbLWB6xxBn9FnGXEdE6/wtTnNkpYZJUOuezFTk2P5rNqA9f6jd9
         gSt58Ptox+zOrAEqTTTLIK4p1DUBBat+fnazkBrG7nOgyt31/L/6verUyvu18VSNOeq9
         kZcQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i19si4347809oik.272.2020.01.27.22.10.39;
        Mon, 27 Jan 2020 22:10:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725920AbgA1GJZ (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 28 Jan 2020 01:09:25 -0500
Received: from mga02.intel.com ([134.134.136.20]:17509 "EHLO mga02.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725774AbgA1GJZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Jan 2020 01:09:25 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jan 2020 22:09:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,372,1574150400"; 
   d="scan'208";a="261329546"
Received: from linux.intel.com ([10.54.29.200])
  by fmsmga002.fm.intel.com with ESMTP; 27 Jan 2020 22:09:23 -0800
Received: from [10.252.25.124] (abudanko-mobl.ccr.corp.intel.com [10.252.25.124])
        by linux.intel.com (Postfix) with ESMTP id 862965803C1;
        Mon, 27 Jan 2020 22:09:15 -0800 (PST)
Subject: [PATCH v6 03/10] perf/core: open access to probes for CAP_PERFMON
 privileged process
From:   Alexey Budankov <alexey.budankov@linux.intel.com>
To:     Peter Zijlstra <peterz@infradead.org>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Ingo Molnar <mingo@redhat.com>,
        "benh@kernel.crashing.org" <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>,
        "james.bottomley@hansenpartnership.com" 
        <james.bottomley@hansenpartnership.com>,
        Serge Hallyn <serge@hallyn.com>, Will Deacon <will@kernel.org>,
        Robert Richter <rric@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>
Cc:     "intel-gfx@lists.freedesktop.org" <intel-gfx@lists.freedesktop.org>,
        Jiri Olsa <jolsa@redhat.com>, Andi Kleen <ak@linux.intel.com>,
        Stephane Eranian <eranian@google.com>,
        Igor Lubashev <ilubashe@akamai.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Namhyung Kim <namhyung@kernel.org>,
        Song Liu <songliubraving@fb.com>,
        Lionel Landwerlin <lionel.g.landwerlin@intel.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>,
        "selinux@vger.kernel.org" <selinux@vger.kernel.org>,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
        "linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
        "linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
        "linux-perf-users@vger.kernel.org" <linux-perf-users@vger.kernel.org>,
        oprofile-list@lists.sf.net
References: <74d524ab-ac11-a7b8-1052-eba10f117e09@linux.intel.com>
Organization: Intel Corp.
Message-ID: <6cdc10f2-31e5-6d71-7d71-c6b5250b74f1@linux.intel.com>
Date:   Tue, 28 Jan 2020 09:09:13 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <74d524ab-ac11-a7b8-1052-eba10f117e09@linux.intel.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Open access to monitoring via kprobes and uprobes and eBPF tracing for
CAP_PERFMON privileged process. Providing the access under CAP_PERFMON
capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes
chances to misuse the credentials and makes operation more secure.

perf kprobes and uprobes are used by ftrace and eBPF. perf probe uses
ftrace to define new kprobe events, and those events are treated as
tracepoint events. eBPF defines new probes via perf_event_open interface
and then the probes are used in eBPF tracing.

CAP_PERFMON implements the principal of least privilege for performance
monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle
of least privilege: A security design principle that states that a process or
program be granted only those privileges (e.g., capabilities) necessary to
accomplish its legitimate function, and only for the time that such privileges
are actually required)

For backward compatibility reasons access to perf_events subsystem remains
open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for
secure perf_events monitoring is discouraged with respect to CAP_PERFMON
capability.

Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
 kernel/events/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index d956c81bd310..c6453320ffea 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9088,7 +9088,7 @@ static int perf_kprobe_event_init(struct perf_event *event)
 	if (event->attr.type != perf_kprobe.type)
 		return -ENOENT;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!perfmon_capable())
 		return -EACCES;
 
 	/*
@@ -9148,7 +9148,7 @@ static int perf_uprobe_event_init(struct perf_event *event)
 	if (event->attr.type != perf_uprobe.type)
 		return -ENOENT;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!perfmon_capable())
 		return -EACCES;
 
 	/*
-- 
2.20.1