Re: [PATCH] perf: fix hypervisor branch sampling permission check
From: Petr Matousek
Date: Thu Jun 06 2013 - 05:13:39 EST
On Thu, Jun 06, 2013 at 11:02:04AM +0200, Stephane Eranian wrote:
>
> Commit 2b923c8 perf/x86: Check branch sampling priv level in generic code
> was missing the check for the hypervisor (HV) priv level, so add it back.
>
> With this patch, we get the following correct behavior:
>
> # echo 2 >/proc/sys/kernel/perf_event_paranoid
>
> $ perf record -j any,k noploop 1
> Error:
> You may not have permission to collect stats.
> Consider tweaking /proc/sys/kernel/perf_event_paranoid:
> -1 - Not paranoid at all
> 0 - Disallow raw tracepoint access for unpriv
> 1 - Disallow cpu events for unpriv
> 2 - Disallow kernel profiling for unpriv
>
> $ perf record -j any,hv noploop 1
> Error:
> You may not have permission to collect stats.
> Consider tweaking /proc/sys/kernel/perf_event_paranoid:
> -1 - Not paranoid at all
> 0 - Disallow raw tracepoint access for unpriv
> 1 - Disallow cpu events for unpriv
> 2 - Disallow kernel profiling for unpriv
>
> Signed-off-by: Stephane Eranian <eranian@xxxxxxxxxx>
> ---
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 95edd5a..f0880fb 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -6501,8 +6501,8 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
> */
> attr->branch_sample_type = mask;
> }
> - /* kernel level capture: check permissions */
> - if ((mask & PERF_SAMPLE_BRANCH_KERNEL)
> + /* privileged levels capture (kernel, hv): check permissions */
> + if ((mask & PERF_SAMPLE_BRANCH_PERM_PLM)
> && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
> return -EACCES;
> }
Acked-by: Petr Matousek <pmatouse@xxxxxxxxxx>
--
Petr Matousek / Red Hat Security Response Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/