seccomp: allow perf_event_open if CAP_PERFMON

[blue42u]

Currently perf_event_open is only allowed if both CAP_SYS_ADMIN and CAP_PERFMON are enabled. CAP_SYS_ADMIN is a very overloaded capability and is best avoided. This PR enables perf_event_open if either (or both) capabilities are enabled. In particular, this enables a container to profile itself by only enabling CAP_PERFMON.

This change does not deny anything new, nor does it enable perf_event_open by default. In summary:

Capabilities	perf_event_open return (before)	perf_event_open return (after)
CAP_PERFMON + CAP_SYS_ADMIN	No error	No error
CAP_PERFMON	EPERM	No error
CAP_SYS_ADMIN	ENOSYS	No error
(none of the above)	EPERM	EPERM

[podmanbot]

✅ A new PR has been created in buildah to vendor these changes: podman-container-tools/buildah#6461

[mtrmac]

@giuseppe PTAL. Historically I can see containers/common@daa81f1 was already supposed to enable this, which makes me worried about this PR.

[Luap99]

cc @martinetd

[giuseppe]

@giuseppe PTAL. Historically I can see containers/common@daa81f1 was already supposed to enable this, which makes me worried about this PR.

this new PR enables it with CAP_PERFMON which seems to me like a good idea

[giuseppe]

LGTM

[martinetd]

Oww, I had managed to screw up that old commit in two different places, sorry for that mess.
This diff looks good to me, both the moving from eperm-if-not-sysadmin to allow-if-sysadmin and deny-if-not-sysadmin-or-perfmon instead of deny-if-not-sysadmin-or-bpf parts are sound.

Just in case I also had a new look at the other commits of that old PR ( https://github.com/containers/common/pull/2040/commits ) and the only similar commit was about bpf, which looks correct to me, so I'm a bit confused about how this got so bad... Sorry again, and thanks for the cc!

[Luap99]

LGTM

[mtrmac]

Thanks @blue42u and @martinetd !