On Wed, Dec 18, 2019 at 12:24:28PM +0300, Alexey Budankov wrote: > > Introduce CAP_SYS_PERFMON capability devoted to secure system performance > monitoring and observability operations so that CAP_SYS_PERFMON would > assist CAP_SYS_ADMIN capability in its governing role for perf_events, > i915_perf and other subsystems of the kernel. > > CAP_SYS_PERFMON intends to harden system security and integrity during > system performance monitoring and observability operations by decreasing > attack surface that is available to CAP_SYS_ADMIN privileged processes. > > CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related > to system performance monitoring and observability operations and balance > amount of CAP_SYS_ADMIN credentials in accordance with the recommendations > provided in the man page for CAP_SYS_ADMIN [1]: "Note: this capability > is overloaded; see Notes to kernel developers, below." > > [1] http://man7.org/linux/man-pages/man7/capabilities.7.html > > Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx> Acked-by: Serge Hallyn <serge@xxxxxxxxxx> _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
