From: Thomas Richter Date: Wed, 14 Jun 2023 07:37:42 +0000 (+0200) Subject: s390/cpum_cf: open access to hwctr device for CAP_PERFMON privileged process X-Git-Tag: v6.6.17~4583^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d0d3e218d50bc93282df7bded9193e6fc9ccda48;p=platform%2Fkernel%2Flinux-rpi.git s390/cpum_cf: open access to hwctr device for CAP_PERFMON privileged process The device /dev/hwctr was introduced to access complete CPU Measurement facility counter sets via an ioctl system call. The access the to device is limited to privileged processes running as root or superuser. The capability CAP_SYS_ADMIN is required. The device permissions are read/write for the device owner root. There is no need for this restriction. Make the device access permission read/write for all and reduce the capabilities to CAP_PERFMON. Any user space program with the CAP_PERFMON capability assigned to it can now read and display the CPU Measurement facility counter sets. For more details on perf tool usage and security, see linux documentation in Documentation/admin-guide/perf-security.rst. Signed-off-by: Thomas Richter Acked-by: Heiko Carstens Signed-off-by: Alexander Gordeev --- diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c index cf1b6e8..6be0387 100644 --- a/arch/s390/kernel/perf_cpum_cf.c +++ b/arch/s390/kernel/perf_cpum_cf.c @@ -1213,7 +1213,7 @@ static int cfset_release(struct inode *inode, struct file *file) static int cfset_open(struct inode *inode, struct file *file) { - if (!capable(CAP_SYS_ADMIN)) + if (!perfmon_capable()) return -EPERM; mutex_lock(&cfset_ctrset_mutex); if (atomic_inc_return(&cfset_opencnt) == 1) @@ -1502,6 +1502,7 @@ static struct miscdevice cfset_dev = { .name = S390_HWCTR_DEVICE, .minor = MISC_DYNAMIC_MINOR, .fops = &cfset_fops, + .mode = 0666, }; /* Hotplug add of a CPU. Scan through all active processes and add