Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp6179417ybv; Tue, 18 Feb 2020 11:27:48 -0800 (PST) X-Google-Smtp-Source: APXvYqwdB2KrTrhMl1CkW8+y9eJvhO05bNasDxsUICXfcbec5K17afzowQJsTxcv9qGr7N/rnN1a X-Received: by 2002:a9d:6548:: with SMTP id q8mr14896980otl.356.1582054068371; Tue, 18 Feb 2020 11:27:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582054068; cv=none; d=google.com; s=arc-20160816; b=Z2zqmTws1XBqG2Mf+vYMWfIPW/jEyNGjI6EjKjS/YCNYDDkT7YxsUaBkRceq3/wscW l20pz2N7lN4bidE4+FRyEhNiLjTSzvIysCvX1tU6SinQ/g06KkdkBtVXlf9HXlEaky/A thJ+ZZXbrktbh6jxWHR41lGvTR6tFh4KueAeFgLfAHCsDCbB5XmRfzdToJTMqu5JVg+2 xa+BunzQE/ZwJ/p8ABimQQ//k3MJGvHxxKm6X7IlKUU4eX3fLM/xO058I1c2hNtjj9rR 2tE+W+zaD5GH7hJfE00FdJcfDG2c303rETFc30rhujaLsd6+Qmfblog8LHRznWc+PZgc EfPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=um2f/+KQ+CxUM8rwoKHcY+sGVyAmf0UXDR1GAr1SSHI=; b=eviaik5hH9IX/q4DI7HwwBa95O5M9Rz5w/Jg/f4jzymClcNpT9HBPbKL0sixnYHeAE 4IcEOyFXiFL2Odf+B8fH50Zg8mwurE5mOYoHjGExxmHoqZ7N/wiEaNNsoDq7pR/H+vvW DiELZPWDjx0s+yFS7c1Rl/lbsCgR+nQoIc/0ylj+bkUq1CwIIKwYHwMOvrNkIZ3u/75Z 2Pss53EW4WldTEgUubwwRJpHz3wE8KoZ/2cx1lLv8WAW+kBn6pD6cuiwfwR3B6ejYzvZ kGv/427iDPrfHen8VQ9Hx4oOWIqs6ktJZzBvswAmtVqM/WnhYwrpu+iHYKjjWyncuCHM upQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y8si8210090oih.141.2020.02.18.11.27.36; Tue, 18 Feb 2020 11:27:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726650AbgBRT1N (ORCPT + 99 others); Tue, 18 Feb 2020 14:27:13 -0500 Received: from namei.org ([65.99.196.166]:46736 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726296AbgBRT1N (ORCPT ); Tue, 18 Feb 2020 14:27:13 -0500 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id 01IJPSnR013669; Tue, 18 Feb 2020 19:25:28 GMT Date: Wed, 19 Feb 2020 06:25:28 +1100 (AEDT) From: James Morris To: Alexey Budankov cc: Serge Hallyn , Stephen Smalley , Peter Zijlstra , Arnaldo Carvalho de Melo , Ingo Molnar , "joonas.lahtinen@linux.intel.com" , Alexei Starovoitov , Will Deacon , Paul Mackerras , Helge Deller , Thomas Gleixner , Andi Kleen , Stephane Eranian , Igor Lubashev , Jiri Olsa , linux-kernel , "intel-gfx@lists.freedesktop.org" , "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , linux-arm-kernel , "linuxppc-dev@lists.ozlabs.org" , "linux-parisc@vger.kernel.org" , oprofile-list@lists.sf.net, "linux-doc@vger.kernel.org" , linux-man@vger.kernel.org Subject: Re: [PATCH v7 06/12] trace/bpf_trace: open access for CAP_PERFMON privileged process In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 17 Feb 2020, Alexey Budankov wrote: > > Open access to bpf_trace monitoring for CAP_PERFMON privileged process. > Providing the access under CAP_PERFMON capability singly, without the > rest of CAP_SYS_ADMIN credentials, excludes chances to misuse the > credentials and makes operation more secure. > > CAP_PERFMON implements the principal of least privilege for performance > monitoring and observability operations (POSIX IEEE 1003.1e 2.2.2.39 > principle of least privilege: A security design principle that states > that a process or program be granted only those privileges (e.g., > capabilities) necessary to accomplish its legitimate function, and only > for the time that such privileges are actually required) > > For backward compatibility reasons access to bpf_trace monitoring > remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN > usage for secure bpf_trace monitoring is discouraged with respect to > CAP_PERFMON capability. > > Signed-off-by: Alexey Budankov Reviewed-by: James Morris -- James Morris