[PATCH v4 5/9] trace/bpf_trace: open access for CAP_SYS_PERFMON privileged process
Song Liu
songliubraving at fb.com
Tue Jan 14 07:47:04 AEDT 2020
> On Dec 18, 2019, at 1:28 AM, Alexey Budankov <alexey.budankov at linux.intel.com> wrote:
>
>
> Open access to bpf_trace monitoring for CAP_SYS_PERFMON privileged
> processes. For backward compatibility reasons access to bpf_trace
> monitoring remains open for CAP_SYS_ADMIN privileged processes but
> CAP_SYS_ADMIN usage for secure bpf_trace monitoring is discouraged
> with respect to CAP_SYS_PERFMON capability.
>
> Signed-off-by: Alexey Budankov <alexey.budankov at linux.intel.com>
Acked-by: Song Liu <songliubraving at fb.com>
> ---
> kernel/trace/bpf_trace.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 44bd08f2443b..bafe21ac6d92 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -1272,7 +1272,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
> u32 *ids, prog_cnt, ids_len;
> int ret;
>
> - if (!capable(CAP_SYS_ADMIN))
> + if (!perfmon_capable())
> return -EPERM;
> if (event->attr.type != PERF_TYPE_TRACEPOINT)
> return -EINVAL;
I guess we need to fix this check for kprobe/uprobe created with
perf_event_open()...
Thanks,
Song
More information about the Linuxppc-dev
mailing list