Em Mon, Oct 19, 2020 at 08:15:14PM +0300, Alexey Budankov escreveu: > > Assignment of CAP_PERFMON [1] Linux capability to an executable located > on a file system requires extended attributes (xattrs) [2] to be supported > by the file system. Even if the file system supports xattrs an fs device > should be mounted with permission to use xattrs for files located on the > device (e.g. without nosuid option [3]). No xattrs support and nosuid > mounts are quite common in HPC and Cloud multiuser environments thus > applicability of privileged Perf user groups based on file capabilities > [4] is limited in that environments. Alternative method to confer Linux > capabilities into a process does still exist and it is thru creation of > capabilities-enabled-semi-privileged shell environment. Usage of this > method to extend privileged Perf user groups approach is documented in > this patch set as an extension to perf-security.rst admin guide file. > > [1] https://man7.org/linux/man-pages/man7/capabilities.7.html > [2] https://man7.org/linux/man-pages/man7/xattr.7.html > [3] https://man7.org/linux/man-pages/man8/mount.8.html > [4] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#privileged-perf-users-groups Thanks, applied. - Arnaldo > --- > Alexey Budankov (2): > doc/admin-guide: note credentials consolidation under CAP_PERFMON > doc/admin-guide: document creation of CAP_PERFMON privileged shell > > Documentation/admin-guide/perf-security.rst | 81 ++++++++++++++++++--- > 1 file changed, 70 insertions(+), 11 deletions(-) > > -- > 2.24.1 > -- - Arnaldo
