Message ID | 22abd684-706c-1b3c-3858-e756217c9243@linux.intel.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Headers | show |
Series | Introduce CAP_SYS_PERFMON to secure system performance monitoring and observability | expand |
diff --git a/arch/parisc/kernel/perf.c b/arch/parisc/kernel/perf.c index 676683641d00..58e7d1444e4f 100644 --- a/arch/parisc/kernel/perf.c +++ b/arch/parisc/kernel/perf.c @@ -300,7 +300,7 @@ static ssize_t perf_write(struct file *file, const char __user *buf, else return -EFAULT; - if (!capable(CAP_SYS_ADMIN)) + if (!(capable(CAP_SYS_PERFMON) || capable(CAP_SYS_ADMIN))) return -EACCES; if (count != sizeof(uint32_t))
Open access to monitoring for CAP_SYS_PERFMON privileged processes. For backward compatibility reasons access to the monitoring remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN usage for secure monitoring is discouraged with respect to CAP_SYS_PERFMON capability. Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com> --- arch/parisc/kernel/perf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)