[PATCH v5 10/10] drivers/oprofile: open access for CAP_PERFMON privileged process

From: Alexey Budankov
Date: Mon Jan 20 2020 - 06:33:54 EST

Next message: syzbot: "KASAN: use-after-free Read in __nf_tables_abort"
Previous message: Alexey Budankov: "[PATCH v5 09/10] drivers/perf: open access for CAP_PERFMON privileged process"
In reply to: Alexey Budankov: "[PATCH v5 09/10] drivers/perf: open access for CAP_PERFMON privileged process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Open access to monitoring for CAP_PERFMON privileged processes.
For backward compatibility reasons access to the monitoring remains
open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage
for secure monitoring is discouraged with respect to CAP_PERFMON
capability. Providing the access under CAP_PERFMON capability singly,
without the rest of CAP_SYS_ADMIN credentials, excludes chances to
misuse the credentials and makes the operations more secure.

Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx>
---
drivers/oprofile/event_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c
index 12ea4a4ad607..6c9edc8bbc95 100644
--- a/drivers/oprofile/event_buffer.c
+++ b/drivers/oprofile/event_buffer.c
@@ -113,7 +113,7 @@ static int event_buffer_open(struct inode *inode, struct file *file)
{
int err = -EPERM;

- if (!capable(CAP_SYS_ADMIN))
+ if (!perfmon_capable())
return -EPERM;

if (test_and_set_bit_lock(0, &buffer_opened))
--
2.20.1

Next message: syzbot: "KASAN: use-after-free Read in __nf_tables_abort"
Previous message: Alexey Budankov: "[PATCH v5 09/10] drivers/perf: open access for CAP_PERFMON privileged process"
In reply to: Alexey Budankov: "[PATCH v5 09/10] drivers/perf: open access for CAP_PERFMON privileged process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]