Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp847540ybl; Tue, 28 Jan 2020 13:23:17 -0800 (PST) X-Google-Smtp-Source: APXvYqwr9FMjnw1ncnKsGe95hBr/+TRPN16g9L2tq2haVkkHZr+8HTE4HGMATt3oMhTOIp916lGm X-Received: by 2002:a9d:53cb:: with SMTP id i11mr18415761oth.158.1580246597093; Tue, 28 Jan 2020 13:23:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580246597; cv=none; d=google.com; s=arc-20160816; b=lSQrTvRNlCFDJNq2PGGC8jUOLBYB6X0sXBQxgFEojHZ80KdWgCGpkVNY3TMqahWWXJ Lfpg1mBa1bnny9FE9m/G0Odb97iW6OctGFMuoAuNP3/YuJN5UrfkdbOtZNQ1b76CDsjc HQH8fYTHY0pPRFYiXVoaS9eKRDkjqeVnypqZYicYh4pLPlUdZiSzT5q/hR9SFFCvrRko 8h3fUPbXI3sHuVuIjYGnno3WZQpibIPBAXL92IZP+JSeleunqe7jBGTPVPrPZuNeL0WB IFKHvoruusMx1rvDu4pYxM6mdykfCuumuA7lQpEDxIEO7g116awvhgzH7qV89gqHdWbH 1rjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=lE/rV3aTwL0fsHM5lWXPO58FDQQqArWHcPbgn4ChIOY=; b=WJo5d6t3iM0SLSk2uI/tuZWPTynAuDqDUFQU7+Hm/PUbXs3zbt9uMzUF6bOwMN4Cgz Qm6j6Wez6lQs5XeAsvVJtT6XlE2zhRDM+vlJck+JFo+MuUxyJ90fFPvKN1aG7S43nN+Y u75NV75rqaU0/Db0ygQPPeuCDhB5NhTLmkWFmF3IOIRu6J32n26vrfgdH5IPu7TqidE2 Joy06094iZEfpHbCFFk9XVUJoH+M7ASdlcMmA+6cpKelLDsy9N8mWZ/qHzhFpZmcZcOW 7kuishevWxImq/PpZuDebR9H/ZJFQKOCrThwMlHaxgp1DbyFicymJtJikP9VdDTrotqh rifQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e6si9258777otq.217.2020.01.28.13.23.05; Tue, 28 Jan 2020 13:23:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726591AbgA1VVF (ORCPT + 99 others); Tue, 28 Jan 2020 16:21:05 -0500 Received: from namei.org ([65.99.196.166]:60568 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726211AbgA1VVF (ORCPT ); Tue, 28 Jan 2020 16:21:05 -0500 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id 00SLIGx1004605; Tue, 28 Jan 2020 21:18:16 GMT Date: Wed, 29 Jan 2020 08:18:16 +1100 (AEDT) From: James Morris To: Alexey Budankov cc: Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "james.bottomley@hansenpartnership.com" , Serge Hallyn , Will Deacon , Robert Richter , Alexei Starovoitov , "intel-gfx@lists.freedesktop.org" , Jiri Olsa , Andi Kleen , Stephane Eranian , Igor Lubashev , Alexander Shishkin , Namhyung Kim , Song Liu , Lionel Landwerlin , linux-kernel , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , linux-arm-kernel , "linuxppc-dev@lists.ozlabs.org" , "linux-parisc@vger.kernel.org" , "linux-perf-users@vger.kernel.org" , oprofile-list@lists.sf.net Subject: Re: [PATCH v6 10/10] drivers/oprofile: open access for CAP_PERFMON privileged process In-Reply-To: Message-ID: References: <74d524ab-ac11-a7b8-1052-eba10f117e09@linux.intel.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 28 Jan 2020, Alexey Budankov wrote: > > Open access to monitoring for CAP_PERFMON privileged process. Providing > the access under CAP_PERFMON capability singly, without the rest of > CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and > makes operation more secure. > > CAP_PERFMON implements the principal of least privilege for performance > monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle > of least privilege: A security design principle that states that a process > or program be granted only those privileges (e.g., capabilities) necessary > to accomplish its legitimate function, and only for the time that such > privileges are actually required) > > For backward compatibility reasons access to the monitoring remains open > for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure > monitoring is discouraged with respect to CAP_PERFMON capability. > > Signed-off-by: Alexey Budankov > --- > drivers/oprofile/event_buffer.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Acked-by: James Morris > > diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c > index 12ea4a4ad607..6c9edc8bbc95 100644 > --- a/drivers/oprofile/event_buffer.c > +++ b/drivers/oprofile/event_buffer.c > @@ -113,7 +113,7 @@ static int event_buffer_open(struct inode *inode, struct file *file) > { > int err = -EPERM; > > - if (!capable(CAP_SYS_ADMIN)) > + if (!perfmon_capable()) > return -EPERM; > > if (test_and_set_bit_lock(0, &buffer_opened)) > -- James Morris