[PATCH v4 1/9] capabilities: introduce CAP_SYS_PERFMON to kernel and user space
Serge E. Hallyn
serge at hallyn.com
Sat Dec 28 14:53:31 AEDT 2019
On Wed, Dec 18, 2019 at 12:24:28PM +0300, Alexey Budankov wrote:
>
> Introduce CAP_SYS_PERFMON capability devoted to secure system performance
> monitoring and observability operations so that CAP_SYS_PERFMON would
> assist CAP_SYS_ADMIN capability in its governing role for perf_events,
> i915_perf and other subsystems of the kernel.
>
> CAP_SYS_PERFMON intends to harden system security and integrity during
> system performance monitoring and observability operations by decreasing
> attack surface that is available to CAP_SYS_ADMIN privileged processes.
>
> CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
> to system performance monitoring and observability operations and balance
> amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
> provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability
> is overloaded; see Notes to kernel developers, below."
>
> [1] http://man7.org/linux/man-pages/man7/capabilities.7.html
>
> Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
More information about the Linuxppc-dev
mailing list