On Tue, Jun 14, 2022 at 12:20 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > Debian uses a downstream patch[1] to allow further restriction of > perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2) > operations. > > [1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > policy/test_perf_event.te | 29 +++++++++++++++++++++++------ > tests/perf_event/test | 39 ++++++++++++++++++++++++++++----------- > 2 files changed, 51 insertions(+), 17 deletions(-) Could we rather temporarily set the sysctl to 2 if it's 3 rather than adapting to the Debian's downstream patch? The testsuite already does a lot of various temporary system-wide tweaks, so I don't think it's worth adding all this complexity just to avoid touching the sysctl. And actually if we are already going to touch it, we could iterate through all the normal values (0-2) and check that each works as expected w.r.t. CAP_PERFMON (but I'll leave it up to you if you want to implement that or not). -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
