• A
    capabilities: Introduce CAP_PERFMON to kernel and user space · 98073728
    Alexey Budankov 提交于
    Introduce the CAP_PERFMON capability designed to secure system
    performance monitoring and observability operations so that CAP_PERFMON
    can assist CAP_SYS_ADMIN capability in its governing role for
    performance monitoring and observability subsystems.
    
    CAP_PERFMON hardens system security and integrity during performance
    monitoring and observability operations by decreasing attack surface that
    is available to a CAP_SYS_ADMIN privileged process [2]. Providing the access
    to system performance monitoring and observability operations under CAP_PERFMON
    capability singly, without the rest of CAP_SYS_ADMIN credentials, excludes
    chances to misuse the credentials and makes the operation more secure.
    
    Thus, CAP_PERFMON implements the principle of least privilege for
    performance monitoring and observability operations (POSIX IEEE 1003.1e:
    2.2.2.39 principle of least privilege: A security design principle that
      states that a process or program be granted only those privileges
    (e.g., capabilities) necessary to accomplish its legitimate function,
    and only for the time that such privileges are actually required)
    
    CAP_PERFMON meets the demand to secure system performance monitoring and
    observability operations for adoption in security sensitive, restricted,
    multiuser production environments (e.g. HPC clusters, cloud and virtual compute
    environments), where root or CAP_SYS_ADMIN credentials are not available to
    mass users of a system, and securely unblocks applicability and scalability
    of system performance monitoring and observability operations beyond root
    and CAP_SYS_ADMIN use cases.
    
    CAP_PERFMON takes over CAP_SYS_ADMIN credentials related to system performance
    monitoring and observability operations and balances amount of CAP_SYS_ADMIN
    credentials following the recommendations in the capabilities man page [1]
    for CAP_SYS_ADMIN: "Note: this capability is overloaded; see Notes to kernel
    developers, below." For backward compatibility reasons access to system
    performance monitoring and observability subsystems of the kernel remains
    open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN capability
    usage for secure system performance monitoring and observability operations
    is discouraged with respect to the designed CAP_PERFMON capability.
    
    Although the software running under CAP_PERFMON can not ensure avoidance
    of related hardware issues, the software can still mitigate these issues
    following the official hardware issues mitigation procedure [2]. The bugs
    in the software itself can be fixed following the standard kernel development
    process [3] to maintain and harden security of system performance monitoring
    and observability operations.
    
    [1] http://man7.org/linux/man-pages/man7/capabilities.7.html
    [2] https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
    [3] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.htmlSigned-off-by: NAlexey Budankov <alexey.budankov@linux.intel.com>
    Acked-by: NJames Morris <jamorris@linux.microsoft.com>
    Acked-by: NSerge E. Hallyn <serge@hallyn.com>
    Acked-by: NSong Liu <songliubraving@fb.com>
    Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
    Tested-by: NArnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Igor Lubashev <ilubashe@akamai.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: intel-gfx@lists.freedesktop.org
    Cc: linux-doc@vger.kernel.org
    Cc: linux-man@vger.kernel.org
    Cc: linux-security-module@vger.kernel.org
    Cc: selinux@vger.kernel.org
    Link: http://lore.kernel.org/lkml/5590d543-82c6-490a-6544-08e6a5517db0@linux.intel.comSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
    98073728
capability.h 7.9 KB