Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp522126ybv;
        Wed, 5 Feb 2020 09:35:41 -0800 (PST)
X-Google-Smtp-Source: APXvYqysWHIIQLEkF+UE/gJPRlRdDwHU91g1SAU/RNujmZvSsyv93M/G1+9skW5HpSJqgfJRAtrQ
X-Received: by 2002:a9d:6e14:: with SMTP id e20mr28275805otr.283.1580924141002;
        Wed, 05 Feb 2020 09:35:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1580924140; cv=none;
        d=google.com; s=arc-20160816;
        b=Kk4hHKLQ1pomlmtV10OOpnjLj15MgkYVwwkysKScIo/jEmzmY/JCzikJgwpojiAY4M
         AsbCh8WHjGeQfAn94xAtl4rvKSqb9f4EwHKafqZkRLNdItmIwilswXRGrHYgIzZhKqhT
         y3BmZi5xBJ37Xto/u5deoFVXFEkuvl9+9WJ/kx3m7ip1y2byTvLrKqdE1+gpLcz3OETk
         V7/0mhdKY4Au26N8Ty6ER+JlwGLs78n/dfp7uf0hGs4KOfu2YgsBvtgc4Jx59uQk/Jxo
         9KJdcVp/kQcovMXIWzPtnjMca7G2v1oHl1dwpjsBmQv1hlK0Js9e2uZjuokzvXlP3ks2
         Evfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:references:cc:to:from:subject;
        bh=yHbdHuO8BCxu4zsz3LSPCANlXdZNy+RKcOp391BQWi8=;
        b=xXkId7HN6+Y5VYojxacMkcuAfmscHQmhqVIUwhMmvalcQRNhYaQt8EgpVe+NgS55lX
         TW3EclgYudufkJl3DdQFR2013puHxlA85DgIIrJgIeCUBFQdKC1VfIycj0G5VXH6eCcA
         3Coce+0s3Od3OFDuekmQCffxksuc6eJLdg4SrMiC4nSgYbtlGKJYULzMrgGEb73sVfVD
         BJW04SZl5Jam1bmSgv7IXlzqco0b6S5lx6kKcYy/npC6liTi705Nk2g1U3Ru+QILoyrF
         6vIqSvzczWfesZj3lZZ53ftck9VifFRkY2SnyWrczmlih3E4aSXJVwCG1x/Ts312Qdel
         RvUA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u23si65811otj.242.2020.02.05.09.35.28;
        Wed, 05 Feb 2020 09:35:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727363AbgBERee (ORCPT <rfc822;rruigrok1@gmail.com> + 99 others);
        Wed, 5 Feb 2020 12:34:34 -0500
Received: from mga03.intel.com ([134.134.136.65]:8668 "EHLO mga03.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726957AbgBERee (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Feb 2020 12:34:34 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2020 09:34:33 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,406,1574150400"; 
   d="scan'208";a="343794118"
Received: from linux.intel.com ([10.54.29.200])
  by fmsmga001.fm.intel.com with ESMTP; 05 Feb 2020 09:34:32 -0800
Received: from [10.252.5.149] (abudanko-mobl.ccr.corp.intel.com [10.252.5.149])
        by linux.intel.com (Postfix) with ESMTP id 782CD5802BC;
        Wed,  5 Feb 2020 09:34:25 -0800 (PST)
Subject: [PATCH v6 06/10] trace/bpf_trace: open access for CAP_PERFMON
 privileged process
From:   Alexey Budankov <alexey.budankov@linux.intel.com>
To:     James Morris <jmorris@namei.org>, Serge Hallyn <serge@hallyn.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Peter Zijlstra <peterz@infradead.org>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Ingo Molnar <mingo@redhat.com>,
        "joonas.lahtinen@linux.intel.com" <joonas.lahtinen@linux.intel.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Will Deacon <will@kernel.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>
Cc:     Andi Kleen <ak@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Stephane Eranian <eranian@google.com>,
        Igor Lubashev <ilubashe@akamai.com>,
        Jiri Olsa <jolsa@redhat.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        "intel-gfx@lists.freedesktop.org" <intel-gfx@lists.freedesktop.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>,
        "selinux@vger.kernel.org" <selinux@vger.kernel.org>,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
        "linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
        "linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
        oprofile-list@lists.sf.net
References: <576a6141-36d4-14c0-b395-8d195892b916@linux.intel.com>
Organization: Intel Corp.
Message-ID: <d0c5ef3d-92e1-26f5-422a-abe683fb5299@linux.intel.com>
Date:   Wed, 5 Feb 2020 20:34:24 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <576a6141-36d4-14c0-b395-8d195892b916@linux.intel.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Open access to bpf_trace monitoring for CAP_PERFMON privileged process.
Providing the access under CAP_PERFMON capability singly, without the
rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the
credentials and makes operation more secure.

CAP_PERFMON implements the principal of least privilege for performance
monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39
principle of least privilege: A security design principle that states that
a process or program be granted only those privileges (e.g., capabilities)
necessary to accomplish its legitimate function, and only for the time
that such privileges are actually required)

For backward compatibility reasons access to bpf_trace monitoring remains
open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for
secure bpf_trace monitoring is discouraged with respect to CAP_PERFMON
capability.

Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
---
kernel/trace/bpf_trace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index e5ef4ae9edb5..334f1d71ebb1 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1395,7 +1395,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
 	u32 *ids, prog_cnt, ids_len;
 	int ret;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!perfmon_capable())
 		return -EPERM;
 	if (event->attr.type != PERF_TYPE_TRACEPOINT)
 		return -EINVAL;
-- 
2.20.1