Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4506098ybv; Mon, 17 Feb 2020 00:09:34 -0800 (PST) X-Google-Smtp-Source: APXvYqw3ksuARa5FlN6K05T6CZDOJsMX4gPiv2IEeiP4VznyWgVs10SOEmxPGVNEJLMKZIUQYFGl X-Received: by 2002:aca:5094:: with SMTP id e142mr8946723oib.101.1581926974704; Mon, 17 Feb 2020 00:09:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581926974; cv=none; d=google.com; s=arc-20160816; b=a6tJEhQoqr/PBMKT+mp7ysIWnnMAKbd3TZG5jny0UnLEe43wzv0WuzzTPLlhAeq1hk YIr+sMUv0ZB339WoFUzIeutPqUguptv9GgL8Ta0ED0fPLNdY9t/0kyKoZzCo8UGcTibi ptnClLCK7xDnXPr/oYixcNf0gemGSzCX84SEpBmYRkaC3ymZ5pGeIYa+p68M8abKNhZ/ BvfP6ABNqHzFvcYDRgsx0qiyCUxjGjvOM1dixbjy3RBDbI7POOst9fwZrdlXReZ07FRU V1w9BwkLfYIsVVnjnKEqH+AOp79KzL3Oh18tpJ3DfMoTY1IDj/jLncAqT/1QtTjDphQB 11AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:references:cc:to:from:subject; bh=ap+gTkmOfgWhhRz0MDhwrwh/Z2DVc06fb/SpgAVe8rE=; b=vbg8slop06s20lS94Ky8JoIx3daGIN5bXM0TPBeNZkNR262R5G1INesDQVVGLV9VvG I/W/ArF6dgdi1V82SrZC7auwunSuy7gokWPCX4eMFlEe4zSMXLxvqkV7997uw5zoWDIF Fs363uqk64zUSPeAVObZl6YwV1vPJtm8yJNb6s49gZFQRqwTIvcBDtRaNqFCPN50DU5T m4ePKsvdx8jpgNQlTZ0ZHLi4HIGY1gI2F3OM2a6FROdomdYSahH+yzCnOWK/S1guj4Wv 8kK+W1xgACZMH0HDGTER9552U0nsebz3mSVzYE2Vltag3Lb3MoVXjgordjfyG0V+TqnQ 4aIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u21si6627970otq.137.2020.02.17.00.09.22; Mon, 17 Feb 2020 00:09:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727980AbgBQII4 (ORCPT + 99 others); Mon, 17 Feb 2020 03:08:56 -0500 Received: from mga04.intel.com ([192.55.52.120]:21868 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727469AbgBQIIz (ORCPT ); Mon, 17 Feb 2020 03:08:55 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 00:08:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,451,1574150400"; d="scan'208";a="268327753" Received: from linux.intel.com ([10.54.29.200]) by fmsmga002.fm.intel.com with ESMTP; 17 Feb 2020 00:08:53 -0800 Received: from [10.125.252.180] (abudanko-mobl.ccr.corp.intel.com [10.125.252.180]) by linux.intel.com (Postfix) with ESMTP id 3FB5158060A; Mon, 17 Feb 2020 00:08:47 -0800 (PST) Subject: [PATCH v7 05/12] drm/i915/perf: open access for CAP_PERFMON privileged process From: Alexey Budankov To: James Morris , Serge Hallyn , Stephen Smalley , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "joonas.lahtinen@linux.intel.com" , Alexei Starovoitov , Will Deacon , Paul Mackerras , Helge Deller , Thomas Gleixner Cc: Andi Kleen , Stephane Eranian , Igor Lubashev , Jiri Olsa , linux-kernel , "intel-gfx@lists.freedesktop.org" , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , linux-arm-kernel , "linuxppc-dev@lists.ozlabs.org" , "linux-parisc@vger.kernel.org" , oprofile-list@lists.sf.net, "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org References: Organization: Intel Corp. Message-ID: <8b408c10-9bb0-4b08-8681-93c0f4a1132e@linux.intel.com> Date: Mon, 17 Feb 2020 11:08:46 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Open access to i915_perf monitoring for CAP_PERFMON privileged process. Providing the access under CAP_PERFMON capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the credentials and makes operation more secure. CAP_PERFMON implements the principal of least privilege for performance monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 principle of least privilege: A security design principle that states that a process or program be granted only those privileges (e.g., capabilities) necessary to accomplish its legitimate function, and only for the time that such privileges are actually required) For backward compatibility reasons access to i915_events subsystem remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure i915_events monitoring is discouraged with respect to CAP_PERFMON capability. Signed-off-by: Alexey Budankov --- drivers/gpu/drm/i915/i915_perf.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c index 0f556d80ba36..a3f32bd0aa47 100644 --- a/drivers/gpu/drm/i915/i915_perf.c +++ b/drivers/gpu/drm/i915/i915_perf.c @@ -3378,10 +3378,10 @@ i915_perf_open_ioctl_locked(struct i915_perf *perf, /* Similar to perf's kernel.perf_paranoid_cpu sysctl option * we check a dev.i915.perf_stream_paranoid sysctl option * to determine if it's ok to access system wide OA counters - * without CAP_SYS_ADMIN privileges. + * without CAP_PERFMON or CAP_SYS_ADMIN privileges. */ if (privileged_op && - i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) { + i915_perf_stream_paranoid && !perfmon_capable()) { DRM_DEBUG("Insufficient privileges to open i915 perf stream\n"); ret = -EACCES; goto err_ctx; @@ -3574,9 +3574,8 @@ static int read_properties_unlocked(struct i915_perf *perf, } else oa_freq_hz = 0; - if (oa_freq_hz > i915_oa_max_sample_rate && - !capable(CAP_SYS_ADMIN)) { - DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without root privileges\n", + if (oa_freq_hz > i915_oa_max_sample_rate && !perfmon_capable()) { + DRM_DEBUG("OA exponent would exceed the max sampling frequency (sysctl dev.i915.oa_max_sample_rate) %uHz without CAP_PERFMON or CAP_SYS_ADMIN privileges\n", i915_oa_max_sample_rate); return -EACCES; } @@ -3997,7 +3996,7 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data, return -EINVAL; } - if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) { + if (i915_perf_stream_paranoid && !perfmon_capable()) { DRM_DEBUG("Insufficient privileges to add i915 OA config\n"); return -EACCES; } @@ -4144,7 +4143,7 @@ int i915_perf_remove_config_ioctl(struct drm_device *dev, void *data, return -ENOTSUPP; } - if (i915_perf_stream_paranoid && !capable(CAP_SYS_ADMIN)) { + if (i915_perf_stream_paranoid && !perfmon_capable()) { DRM_DEBUG("Insufficient privileges to remove i915 OA config\n"); return -EACCES; } -- 2.20.1