[tip: perf/core] doc/admin-guide: update kernel.rst with CAP_PERFMON information

From: tip-bot2 for Alexey Budankov
Date: Wed Apr 22 2020 - 08:19:58 EST

Next message: tip-bot2 for Alexey Budankov: "[tip: perf/core] drivers/perf: Open access for CAP_PERFMON privileged process"
Previous message: tip-bot2 for Alexey Budankov: "[tip: perf/core] drivers/oprofile: Open access for CAP_PERFMON privileged process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following commit has been merged into the perf/core branch of tip:

Commit-ID: 025b16f81dd7f51f29d0109399d669438c63b6ce
Gitweb: https://git.kernel.org/tip/025b16f81dd7f51f29d0109399d669438c63b6ce
Author: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx>
AuthorDate: Thu, 02 Apr 2020 11:54:39 +03:00
Committer: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
CommitterDate: Thu, 16 Apr 2020 12:19:12 -03:00

doc/admin-guide: update kernel.rst with CAP_PERFMON information

Update the kernel.rst documentation file with the information related to
usage of CAP_PERFMON capability to secure performance monitoring and
observability operations in system.

Signed-off-by: Alexey Budankov <alexey.budankov@xxxxxxxxxxxxxxx>
Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
Cc: Andi Kleen <ak@xxxxxxxxxxxxxxx>
Cc: Igor Lubashev <ilubashe@xxxxxxxxxx>
Cc: James Morris <jmorris@xxxxxxxxx>
Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Serge Hallyn <serge@xxxxxxxxxx>
Cc: Song Liu <songliubraving@xxxxxx>
Cc: Stephane Eranian <eranian@xxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: intel-gfx@xxxxxxxxxxxxxxxxxxxxx
Cc: linux-doc@xxxxxxxxxxxxxxx
Cc: linux-man@xxxxxxxxxxxxxxx
Cc: linux-security-module@xxxxxxxxxxxxxxx
Cc: selinux@xxxxxxxxxxxxxxx
Link: http://lore.kernel.org/lkml/84c32383-14a2-fa35-16b6-f9e59bd37240@xxxxxxxxxxxxxxx
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
Documentation/admin-guide/sysctl/kernel.rst | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
index 39c95c0..7e4c28d 100644
--- a/Documentation/admin-guide/sysctl/kernel.rst
+++ b/Documentation/admin-guide/sysctl/kernel.rst
@@ -730,7 +730,13 @@ perf_event_paranoid
===================

Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN). The default value is 2.
+users (without CAP_PERFMON). The default value is 2.
+
+For backward compatibility reasons access to system performance
+monitoring and observability remains open for CAP_SYS_ADMIN
+privileged processes but CAP_SYS_ADMIN usage for secure system
+performance monitoring and observability operations is discouraged
+with respect to CAP_PERFMON use cases.

=== ==================================================================
-1 Allow use of (almost) all events by all users.
@@ -739,13 +745,13 @@ users (without CAP_SYS_ADMIN). The default value is 2.
``CAP_IPC_LOCK``.

>=0 Disallow ftrace function tracepoint by users without
- ``CAP_SYS_ADMIN``.
+ ``CAP_PERFMON``.

- Disallow raw tracepoint access by users without ``CAP_SYS_ADMIN``.
+ Disallow raw tracepoint access by users without ``CAP_PERFMON``.

->=1 Disallow CPU event access by users without ``CAP_SYS_ADMIN``.
+>=1 Disallow CPU event access by users without ``CAP_PERFMON``.

->=2 Disallow kernel profiling by users without ``CAP_SYS_ADMIN``.
+>=2 Disallow kernel profiling by users without ``CAP_PERFMON``.
=== ==================================================================

Next message: tip-bot2 for Alexey Budankov: "[tip: perf/core] drivers/perf: Open access for CAP_PERFMON privileged process"
Previous message: tip-bot2 for Alexey Budankov: "[tip: perf/core] drivers/oprofile: Open access for CAP_PERFMON privileged process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]