kernel/linux.git/Documentation/admin-guide/perf-security.rst, branch v6.19.11Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.112021-02-11T16:38:40+00:00doc/admin-guide: fix spelling mistake: "perfomance" -> "performance"2021-02-11T16:38:40+00:00Colin Ian Kingcolin.king@canonical.com2021-02-10T11:56:24+00:00urn:sha1:a15cb2c1658417f9e8c7e84fe5d6ee0b63cbb9b0
There is a spelling mistake in the perf-security documentation. Fix it.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20210210115624.53551-1-colin.king@canonical.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
doc/admin-guide: Document creation of CAP_PERFMON privileged shell2020-11-04T12:42:40+00:00Alexey Budankovalexey.budankov@linux.intel.com2020-10-19T17:18:12+00:00urn:sha1:1dd88c195d59b79f0a974618cdf723f74c192b52
Document steps to create CAP_PERFMON privileged shell to unblock Perf
tool usage in cases when capabilities can't be assigned to an executable
due to limitations of used file system.
Suggested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Cc: linux-man@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Link: http://lore.kernel.org/lkml/0abda956-de6c-95b1-61e8-49e146501079@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
doc/admin-guide: Note credentials consolidation under CAP_PERFMON2020-11-04T12:42:40+00:00Alexey Budankovalexey.budankov@linux.intel.com2020-10-19T17:16:49+00:00urn:sha1:4cb3fb1cd96f9e9a2c5095db42c2d7adbd5c5af9
Add note that starting from Linux v5.9 CAP_PERFMON Linux capability is
enough to conduct performance monitoring and observability using
perf_events API.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Cc: linux-man@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Link: http://lore.kernel.org/lkml/2b1a92a1-84ce-5c70-837d-8ffe96849588@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
doc/admin-guide: Update perf-security.rst with CAP_PERFMON information2020-04-16T15:19:10+00:00Alexey Budankovalexey.budankov@linux.intel.com2020-04-02T08:54:01+00:00urn:sha1:902a8dcc5ba6c5dc3332e8806b01be2f0f7ef2e4
Update perf-security.rst documentation file with the information
related to usage of CAP_PERFMON capability to secure performance
monitoring and observability operations in system.
Committer notes:
While testing 'perf top' under cap_perfmon I noticed that it needs
some more capability and Alexey pointed out cap_ipc_lock, as needed by
this kernel chunk:
kernel/events/core.c: 6101
if ((locked > lock_limit) && perf_is_paranoid() &&
!capable(CAP_IPC_LOCK)) {
ret = -EPERM;
goto unlock;
}
So I added it to the documentation, and also mentioned that if the
libcap version doesn't yet supports 'cap_perfmon', its numeric value can
be used instead, i.e. if:
# setcap "cap_perfmon,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf
Fails, try:
# setcap "38,cap_ipc_lock,cap_sys_ptrace,cap_syslog=ep" perf
I also added a paragraph stating that using an unpatched libcap will
fail the check for CAP_PERFMON, as it checks the cap number against a
maximum to see if it is valid, which makes it use as the default the
'cycles:u' event, even tho a cap_perfmon capable perf binary can get
kernel samples, to workaround that just use, e.g.:
# perf top -e cycles
# perf record -e cycles
And it will sample kernel and user modes.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Igor Lubashev <ilubashe@akamai.com>
Cc: James Morris <jmorris@namei.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: intel-gfx@lists.freedesktop.org
Cc: linux-doc@vger.kernel.org
Cc: linux-man@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: selinux@vger.kernel.org
Link: http://lore.kernel.org/lkml/17278551-9399-9ebe-d665-8827016a217d@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
perf-security: wrap paragraphs on 72 columns2019-02-17T23:05:00+00:00Alexey Budankovalexey.budankov@linux.intel.com2019-02-11T14:58:24+00:00urn:sha1:e85a198e30e9ffbc8e12986c1a8d29e6f0bc0af9
Implemented formatting of paragraphs to be not wider than 72 columns.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
perf-security: elaborate on perf_events/Perf privileged users2019-02-17T23:04:56+00:00Alexey Budankovalexey.budankov@linux.intel.com2019-02-11T13:44:55+00:00urn:sha1:e152c7b7bf56f4b00262463dcedfd92dd5629b6f
Elaborate on possible perf_event/Perf privileged users groups
and document steps about creating such groups.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
perf-security: document collected perf_events/Perf data categories2019-02-17T23:04:51+00:00Alexey Budankovalexey.budankov@linux.intel.com2019-02-11T13:43:54+00:00urn:sha1:68570ca0b4b5194c7680c5caf9669b6bcbc6153a
Document and categorize system and performance data into groups that
can be captured by perf_events/Perf and explicitly indicate the group
that can contain process sensitive data.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
perf-security: document perf_events/Perf resource control2019-02-17T23:04:45+00:00Alexey Budankovalexey.budankov@linux.intel.com2019-02-11T13:42:58+00:00urn:sha1:9d87bbae2d60ebbd1f28a4b5c65162051164c775
Extend perf-security.rst file with perf_events/Perf resource control
section describing RLIMIT_NOFILE and perf_event_mlock_kb settings for
performance monitoring user processes.
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Documentation/admin-guide: introduce perf-security.rst file2018-12-06T16:50:33+00:00Alexey Budankovalexey.budankov@linux.intel.com2018-11-27T08:15:37+00:00urn:sha1:76e7fd843ebb4bc36cf56424e8a5db6631cd3a61
Implement initial version of perf-security.rst documentation file
covering security concerns of perf_event_paranoid settings.
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>