[$] CAP_PERFMON — and new capabilities in general

The perf_event_open()system call is a complicated beast, requiring a fair amount of study tomaster. This call also has some interesting security implications: it canbe used to obtain a lot of information about the running system, and thecomplexity of the underlying implementation has made it more than usuallyprone to unpleasant bugs. In current kernels, the security controls aroundperf_event_open() are simple, though: if you have theCAP_SYS_ADMIN capability, perf_event_open() is availableto you (though the system administrator can make it available without anyprivilege at all). Somecurrent work to create a new capability for the perf events subsystem wouldseem to make sense, raising the question of why adding new capabilitiesisn't done more often.