[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jun 2013 11:12:06 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: Stephane Eranian <eranian@...gle.com>
Cc: linux-kernel@...r.kernel.org, peterz@...radead.org, mingo@...e.hu,
meissner@...e.de, security@...nel.org,
oss-security@...ts.openwall.com, ak@...ux.intel.com
Subject: Re: [PATCH] perf: fix hypervisor branch sampling permission check
On Thu, Jun 06, 2013 at 11:02:04AM +0200, Stephane Eranian wrote:
>
> Commit 2b923c8 perf/x86: Check branch sampling priv level in generic code
> was missing the check for the hypervisor (HV) priv level, so add it back.
>
> With this patch, we get the following correct behavior:
>
> # echo 2 >/proc/sys/kernel/perf_event_paranoid
>
> $ perf record -j any,k noploop 1
> Error:
> You may not have permission to collect stats.
> Consider tweaking /proc/sys/kernel/perf_event_paranoid:
> -1 - Not paranoid at all
> 0 - Disallow raw tracepoint access for unpriv
> 1 - Disallow cpu events for unpriv
> 2 - Disallow kernel profiling for unpriv
>
> $ perf record -j any,hv noploop 1
> Error:
> You may not have permission to collect stats.
> Consider tweaking /proc/sys/kernel/perf_event_paranoid:
> -1 - Not paranoid at all
> 0 - Disallow raw tracepoint access for unpriv
> 1 - Disallow cpu events for unpriv
> 2 - Disallow kernel profiling for unpriv
>
> Signed-off-by: Stephane Eranian <eranian@...gle.com>
> ---
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 95edd5a..f0880fb 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -6501,8 +6501,8 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
> */
> attr->branch_sample_type = mask;
> }
> - /* kernel level capture: check permissions */
> - if ((mask & PERF_SAMPLE_BRANCH_KERNEL)
> + /* privileged levels capture (kernel, hv): check permissions */
> + if ((mask & PERF_SAMPLE_BRANCH_PERM_PLM)
> && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
> return -EACCES;
> }
Acked-by: Petr Matousek <pmatouse@...hat.com>
--
Petr Matousek / Red Hat Security Response Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists