Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx> writes: > On 22.01.2020 17:25, Alexey Budankov wrote: >> On 22.01.2020 17:07, Stephen Smalley wrote: >>>> It keeps the implementation simple and readable. The implementation is more >>>> performant in the sense of calling the API - one capable() call for CAP_PERFMON >>>> privileged process. >>>> >>>> Yes, it bloats audit log for CAP_SYS_ADMIN privileged and unprivileged processes, >>>> but this bloating also advertises and leverages using more secure CAP_PERFMON >>>> based approach to use perf_event_open system call. >>> >>> I can live with that. We just need to document that when you see >>> both a CAP_PERFMON and a CAP_SYS_ADMIN audit message for a process, >>> try only allowing CAP_PERFMON first and see if that resolves the >>> issue. We have a similar issue with CAP_DAC_READ_SEARCH versus >>> CAP_DAC_OVERRIDE. >> >> perf security [1] document can be updated, at least, to align and document >> this audit logging specifics. > > And I plan to update the document right after this patch set is accepted. > Feel free to let me know of the places in the kernel docs that also > require update w.r.t CAP_PERFMON extension. The documentation update wants be part of the patch set and not planned to be done _after_ the patch set is merged. Thanks, tglx