> On Dec 18, 2019, at 1:24 AM, Alexey Budankov
> <alexey.budan...@linux.intel.com> wrote:
> Introduce CAP_SYS_PERFMON capability devoted to secure system performance
> monitoring and observability operations so that CAP_SYS_PERFMON would
> assist CAP_SYS_ADMIN capability in its governing role for perf_events,
> i915_perf and other subsystems of the kernel.
> CAP_SYS_PERFMON intends to harden system security and integrity during
> system performance monitoring and observability operations by decreasing
> attack surface that is available to CAP_SYS_ADMIN privileged processes.
> CAP_SYS_PERFMON intends to take over CAP_SYS_ADMIN credentials related
> to system performance monitoring and observability operations and balance
> amount of CAP_SYS_ADMIN credentials in accordance with the recommendations
> provided in the man page for CAP_SYS_ADMIN : "Note: this capability
> is overloaded; see Notes to kernel developers, below."
> Signed-off-by: Alexey Budankov <alexey.budan...@linux.intel.com>
Acked-by: Song Liu <songliubrav...@fb.com>
Intel-gfx mailing list