s390/cpum_cf: open access to hwctr device for CAP_PERFMON privileged process

The device /dev/hwctr was introduced to access complete
CPU Measurement facility counter sets via an ioctl system call.
The access the to device is limited to privileged processes
running as root or superuser. The capability CAP_SYS_ADMIN
is required.  The device permissions are read/write for the
device owner root. There is no need for this restriction.

Make the device access permission read/write for all and
reduce the capabilities to CAP_PERFMON.
Any user space program with the CAP_PERFMON capability assigned to it
can now read and display the CPU Measurement facility counter sets.

For more details on perf tool usage and security, see linux
documentation in Documentation/admin-guide/perf-security.rst.

Signed-off-by: Thomas Richter <[email protected]>
Acked-by: Heiko Carstens <[email protected]>
Signed-off-by: Alexander Gordeev <[email protected]>

diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
index cf1b6e8a708de67dcc7bac3c02d4a64e05069fd1..6be0387d77e41e7881c3232040e57e87a79e579f 100644 (file)
--- a/arch/s390/kernel/perf_cpum_cf.c
+++ b/arch/s390/kernel/perf_cpum_cf.c
@@ -1213,7 +1213,7 @@ static int cfset_release(struct inode *inode, struct file *file)
 
 static int cfset_open(struct inode *inode, struct file *file)
 {
-       if (!capable(CAP_SYS_ADMIN))
+       if (!perfmon_capable())
                return -EPERM;
        mutex_lock(&cfset_ctrset_mutex);
        if (atomic_inc_return(&cfset_opencnt) == 1)
@@ -1502,6 +1502,7 @@ static struct miscdevice cfset_dev = {
        .name   = S390_HWCTR_DEVICE,
        .minor  = MISC_DYNAMIC_MINOR,
        .fops   = &cfset_fops,
+       .mode   = 0666,
 };
 
 /* Hotplug add of a CPU. Scan through all active processes and add