Skip to content

seccomp: allow perf_event_open if CAP_PERFMON #2534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

seccomp: allow perf_event_open if CAP_PERFMON #2534

wants to merge 1 commit into from

Conversation

@blue42u
Copy link

@blue42u blue42u commented Oct 29, 2025

Currently perf_event_open is only allowed if both CAP_SYS_ADMIN and CAP_PERFMON are enabled. CAP_SYS_ADMIN is a very overloaded capability and is best avoided. This PR enables perf_event_open if either (or both) capabilities are enabled. In particular, this enables a container to profile itself by only enabling CAP_PERFMON.

This change does not deny anything new, nor does it enable perf_event_open by default. In summary:

Capabilities perf_event_open return (before) perf_event_open return (after)
CAP_PERFMON + CAP_SYS_ADMIN No error No error
CAP_PERFMON EPERM No error
CAP_SYS_ADMIN ENOSYS No error
(none of the above) EPERM EPERM

@blue42u
seccomp: allow perf_event_open if CAP_PERFMON
aa0cc92 
Previously perf_event_open was only allowed if both CAP_SYS_ADMIN and
CAP_PERFMON were granted. CAP_SYS_ADMIN in particular is a very
overloaded capability and is best avoided. This commit enables
perf_event_open if either (or both) capabilities are set, in particular
this enables containers with only CAP_PERFMON to profile itself.

This change does not deny anything new, nor does it enable
perf_event_open by default.

Signed-off-by: Jonathon Anderson <[email protected]>
@github-actions
Copy link

github-actions bot commented Oct 29, 2025

This repository has been migrated to https://github.com/containers/container-libs. Please open your PR there.

@github-actions github-actions bot closed this Oct 29, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 29, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: blue42u
Once this PR has been reviewed and has the lgtm label, please assign mtrmac for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blue42u