On 05.04.2020 17:10, Arnaldo Carvalho de Melo wrote: > Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu: >> >> Update kernel.rst documentation file with the information >> related to usage of CAP_PERFMON capability to secure performance >> monitoring and observability operations in system. > > This one is failing in my perf/core branch, please take a look. I'm Trying to reproduce right now. What kind of failure do you see? Please share some specifics so I could follow up properly. Thanks, Alexey > pushing my perf/core branch with this series applied, please check that > everything is ok, I'll do some testing now, but it all seems ok. > > Thanks, > > - Arnaldo > >> Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx> >> --- >> Documentation/admin-guide/sysctl/kernel.rst | 16 +++++++++++----- >> 1 file changed, 11 insertions(+), 5 deletions(-) >> >> diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst >> index def074807cee..b06ae9389809 100644 >> --- a/Documentation/admin-guide/sysctl/kernel.rst >> +++ b/Documentation/admin-guide/sysctl/kernel.rst >> @@ -720,20 +720,26 @@ perf_event_paranoid: >> ==================== >> >> Controls use of the performance events system by unprivileged >> -users (without CAP_SYS_ADMIN). The default value is 2. >> +users (without CAP_PERFMON). The default value is 2. >> + >> +For backward compatibility reasons access to system performance >> +monitoring and observability remains open for CAP_SYS_ADMIN >> +privileged processes but CAP_SYS_ADMIN usage for secure system >> +performance monitoring and observability operations is discouraged >> +with respect to CAP_PERFMON use cases. >> >> === ================================================================== >> -1 Allow use of (almost) all events by all users >> >> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK >> >> ->=0 Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN >> +>=0 Disallow ftrace function tracepoint by users without CAP_PERFMON >> >> - Disallow raw tracepoint access by users without CAP_SYS_ADMIN >> + Disallow raw tracepoint access by users without CAP_PERFMON >> >> ->=1 Disallow CPU event access by users without CAP_SYS_ADMIN >> +>=1 Disallow CPU event access by users without CAP_PERFMON >> >> ->=2 Disallow kernel profiling by users without CAP_SYS_ADMIN >> +>=2 Disallow kernel profiling by users without CAP_PERFMON >> === ================================================================== >> >> >> -- >> 2.24.1 >> >
