On 27.10.2020 19:57, Michael Kerrisk (man-pages) wrote: > Hello Alexey, > > On 10/27/20 5:48 PM, Alexey Budankov wrote: >> >> Extend perf_event_open 2 man page with the information about >> CAP_PERFMON capability designed to secure performance monitoring >> and observability operation in a system according to the principle >> of least privilege [1] (POSIX IEEE 1003.1e, 2.2.2.39). >> >> [1] https://sites.google.com/site/fullycapable/, posix_1003.1e-990310.pdf >> >> Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx> > > Thanks for this. I've applied. I have a few questions/comments below. > >> --- >> man2/perf_event_open.2 | 32 ++++++++++++++++++++++++++++++-- >> 1 file changed, 30 insertions(+), 2 deletions(-) >> >> diff --git a/man2/perf_event_open.2 b/man2/perf_event_open.2 >> index 4827a359d..9810bc554 100644 >> --- a/man2/perf_event_open.2 >> +++ b/man2/perf_event_open.2 >> @@ -97,6 +97,8 @@ when running on the specified CPU. >> .BR "pid == \-1" " and " "cpu >= 0" >> This measures all processes/threads on the specified CPU. >> This requires >> +.B CAP_PERFMON >> +(since Linux 5.8) or >> .B CAP_SYS_ADMIN >> capability or a >> .I /proc/sys/kernel/perf_event_paranoid >> @@ -108,9 +110,11 @@ This setting is invalid and will return an error. >> When >> .I pid >> is greater than zero, permission to perform this system call >> -is governed by a ptrace access mode >> +is governed by >> +.B CAP_PERFMON >> +(since Linux 5.9) and a ptrace access mode > > I want to check: did you really mean 5.9 here? (Everywhere else, > 5.8 is mentioned, but perhaps this change came in the next kernel > version.) Yes, it is not a typo. This thing was merged into v5.9. Thanks, Alexei > >> .B PTRACE_MODE_READ_REALCREDS >> -check; see >> +check on older Linux versions; see >> .BR ptrace (2). >> .PP >> The >> @@ -2925,6 +2929,8 @@ to hold the result. >> This allows attaching a Berkeley Packet Filter (BPF) >> program to an existing kprobe tracepoint event. >> You need >> +.B CAP_PERFMON >> +(since Linux 5.8) or >> .B CAP_SYS_ADMIN >> privileges to use this ioctl. >> .IP >> @@ -2967,6 +2973,8 @@ have multiple events attached to a tracepoint. >> Querying this value on one tracepoint event returns the id >> of all BPF programs in all events attached to the tracepoint. >> You need >> +.B CAP_PERFMON >> +(since Linux 5.8) or >> .B CAP_SYS_ADMIN >> privileges to use this ioctl. >> .IP >> @@ -3175,6 +3183,8 @@ it was expecting. >> .TP >> .B EACCES >> Returned when the requested event requires >> +.B CAP_PERFMON >> +(since Linux 5.8) or >> .B CAP_SYS_ADMIN >> permissions (or a more permissive perf_event paranoid setting). >> Some common cases where an unprivileged process >> @@ -3296,6 +3306,8 @@ setting is specified. >> It can also happen, as with >> .BR EACCES , >> when the requested event requires >> +.B CAP_PERFMON >> +(since Linux 5.8) or >> .B CAP_SYS_ADMIN >> permissions (or a more permissive perf_event paranoid setting). >> This includes setting a breakpoint on a kernel address, >> @@ -3326,6 +3338,22 @@ The official way of knowing if >> support is enabled is checking >> for the existence of the file >> .IR /proc/sys/kernel/perf_event_paranoid . >> +.PP >> +.B CAP_PERFMON >> +capability (since Linux 5.8) provides secure approach to >> +performance monitoring and observability operations in a system >> +according to the principal of least privilege (POSIX IEEE 1003.1e). >> +Accessing system performance monitoring and observability operations >> +using >> +.B CAP_PERFMON >> +rather than the much more powerful >> +.B CAP_SYS_ADMIN >> +excludes chances to misuse credentials and makes operations more secure. >> +.B CAP_SYS_ADMIN >> +usage for secure system performance monitoring and observability >> +is discouraged with respect to >> +.B CAP_PERFMON >> +capability. > > Thank you for adding the above piece. That point of course > really needs to be emphasized! > > Thanks, > > Michael > >
