s.
>
> Add a separate NULL check to tell gcc about it as well.
>
> Signed-off-by: Arnd Bergmann
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
fixes-v5.12
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@
please share you mind?
Alexey,
It seems some of the previous Acks are not included in this patchset, e.g.
https://lkml.org/lkml/2020/1/22/655
Every patch needs a Reviewed-by or Acked-by from maintainers of the code
being changed.
You have enough from the security
0
> > > CapPrm: 00440008
> > > CapEff: 00440008 => 01000100 1000
> > > cap_perfmon,cap_sys_ptrace,cap_syslog
> > > CapBnd: 007f
> > > CapAmb:
> > > NoNewPrivs: 0
> > > Seccomp:0
> > > Speculation_Store_Bypass: thread vulnerable
> > > Cpus_allowed: ff
> > > Cpus_allowed_list: 0-7
> > > ...
> > >
> > > Usage of cap_perfmon effectively avoids unused credentials excess:
> > >
> > > - with cap_sys_admin:
> > > CapEff: 007f => 0111
> > >
> > > - with cap_perfmon:
> > > CapEff: 00440008 => 01000100 1000
> > > 38 34 19
> > >perfmon syslog sys_ptrace
> > >
> > > ---
> > > [1] https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
> > > [2] http://man7.org/linux/man-pages/man7/capabilities.7.html
> > > [3]
> > > https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html
> > > [4] https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html
> > > [5]
> > > https://www.kernel.org/doc/html/latest/process/management-style.html#decisions
> > > [6] http://man7.org/linux/man-pages/man8/setcap.8.html
> > > [7] https://git.kernel.org/pub/scm/libs/libcap/libcap.git
> > > [8] https://sites.google.com/site/fullycapable/, posix_1003.1e-990310.pdf
> > > [9] http://man7.org/linux/man-pages/man2/perf_event_open.2.html
> > >
> > ___
> > Intel-gfx mailing list
> > Intel-gfx@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/intel-gfx
>
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
ADMIN privileged processes but CAP_SYS_ADMIN
> usage for secure perf_events monitoring is discouraged with respect to
> CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx
rocesses but CAP_SYS_ADMIN
> usage for secure bpf_trace monitoring is discouraged with respect to
> CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@li
ned-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
ned-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
m
> remains open for CAP_SYS_ADMIN privileged processes but CAP_SYS_ADMIN
> usage for secure perf_events monitoring is discouraged with respect to
> CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
ned-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
rocesses but CAP_SYS_ADMIN
> usage for secure i915_events monitoring is discouraged with respect to
> CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Inte
rocesses but CAP_SYS_ADMIN
> usage for secure perf_events monitoring is discouraged with respect to
> CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Inte
ned-off-by: Alexey Budankov
Reviewed-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
d observability subsystems.
Acked-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
IN privileged processes but CAP_SYS_ADMIN usage for
> secure perf_events monitoring is discouraged with respect to CAP_PERFMON
> capability.
>
> Signed-off-by: Alexey Budankov
> ---
> kernel/events/core.c | 4 ++--
> 1 file chan
t; return -ENOENT;
>
> - if (!capable(CAP_SYS_ADMIN))
> + if (!perfmon_capable())
> return -EACCES;
>
> /* Return if this is a couting event */
>
Acked-by: James Morris
--
James Morris
AP_SYS_ADMIN usage for secure
> monitoring is discouraged with respect to CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
> ---
> drivers/oprofile/event_buffer.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Acked-by: James Morris
>
> diff --git a/driv
deletions(-)
Acked-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
AP_SYS_ADMIN usage for secure
> monitoring is discouraged with respect to CAP_PERFMON capability.
>
> Signed-off-by: Alexey Budankov
> ---
> drivers/perf/arm_spe_pmu.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Acked-by: James Morris
> diff --git a/drivers
if (!capable(CAP_SYS_ADMIN))
> + if (!perfmon_capable())
> return -EACCES;
>
> if (count != sizeof(uint32_t))
>
Acked-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
ble(CAP_SYS_ADMIN))
> + if (!perfmon_capable())
> return -EPERM;
> if (event->attr.type != PERF_TYPE_TRACEPOINT)
> return -EINVAL;
>
Acked-by: James Morris
--
James Morris
___
Intel-gfx mailing list
Intel-gfx@li
20 matches
Mail list logo
