Re: [PATCH v8 12/12] doc/admin-guide: update kernel.rst with CAP_PERFMON information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05.04.2020 17:10, Arnaldo Carvalho de Melo wrote:
> Em Thu, Apr 02, 2020 at 11:54:39AM +0300, Alexey Budankov escreveu:
>>
>> Update kernel.rst documentation file with the information
>> related to usage of CAP_PERFMON capability to secure performance
>> monitoring and observability operations in system.
> 
> This one is failing in my perf/core branch, please take a look. I'm

Trying to reproduce right now. What kind of failure do you see?
Please share some specifics so I could follow up properly.

Thanks,
Alexey

> pushing my perf/core branch with this series applied, please check that
> everything is ok, I'll do some testing now, but it all seems ok.
> 
> Thanks,
> 
> - Arnaldo
>  
>> Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx>
>> ---
>>  Documentation/admin-guide/sysctl/kernel.rst | 16 +++++++++++-----
>>  1 file changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
>> index def074807cee..b06ae9389809 100644
>> --- a/Documentation/admin-guide/sysctl/kernel.rst
>> +++ b/Documentation/admin-guide/sysctl/kernel.rst
>> @@ -720,20 +720,26 @@ perf_event_paranoid:
>>  ====================
>>  
>>  Controls use of the performance events system by unprivileged
>> -users (without CAP_SYS_ADMIN).  The default value is 2.
>> +users (without CAP_PERFMON). The default value is 2.
>> +
>> +For backward compatibility reasons access to system performance
>> +monitoring and observability remains open for CAP_SYS_ADMIN
>> +privileged processes but CAP_SYS_ADMIN usage for secure system
>> +performance monitoring and observability operations is discouraged
>> +with respect to CAP_PERFMON use cases.
>>  
>>  ===  ==================================================================
>>   -1  Allow use of (almost) all events by all users
>>  
>>       Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>>  
>> ->=0  Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN
>> +>=0  Disallow ftrace function tracepoint by users without CAP_PERFMON
>>  
>> -     Disallow raw tracepoint access by users without CAP_SYS_ADMIN
>> +     Disallow raw tracepoint access by users without CAP_PERFMON
>>  
>> ->=1  Disallow CPU event access by users without CAP_SYS_ADMIN
>> +>=1  Disallow CPU event access by users without CAP_PERFMON
>>  
>> ->=2  Disallow kernel profiling by users without CAP_SYS_ADMIN
>> +>=2  Disallow kernel profiling by users without CAP_PERFMON
>>  ===  ==================================================================
>>  
>>  
>> -- 
>> 2.24.1
>>
> 



[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux