From: Peter Zijlstra <a.p.zijlstra@chello.nl>
To: Ingo Molnar <mingo@elte.hu>
Cc: Paul Mackerras <paulus@samba.org>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Frederic Weisbecker <fweisbec@gmail.com>,
Mike Galbraith <efault@gmx.de>,
linux-kernel@vger.kernel.org, Jens Axboe <jens.axboe@oracle.com>,
James Morris <jmorris@namei.org>
Subject: Re: [PATCH 1/4] perf_counter: Default to higher paranoia level
Date: Wed, 19 Aug 2009 16:07:33 +0200 [thread overview]
Message-ID: <1250690853.8282.59.camel@twins> (raw)
In-Reply-To: <20090819092023.728070630@chello.nl>
On Wed, 2009-08-19 at 11:18 +0200, Peter Zijlstra wrote:
> +static inline bool perf_paranoid_anon(void)
> +{
> + return !capable(CAP_SYS_ADMIN) && sysctl_perf_counter_paranoid > 1;
> }
>
> static inline bool perf_paranoid_kernel(void)
> {
> - return sysctl_perf_counter_paranoid > 1;
> + return !capable(CAP_SYS_ADMIN) && sysctl_perf_counter_paranoid > 2;
> +}
OK, this is buggy:
- capable() uses current, which is unlikely to be counter->owner,
- but even security_real_capable(counter->owner, ...) wouldn't
work, since the ->capable() callback isn't NMI safe
(selinux takes locks and does allocations in that path).
This puts a severe strain on more complex anonymizers since its
basically impossible to tell if counter->owner has permissions on
current from NMI context.
I'll fix up this patch to pre-compute the perf_paranoid_anon_ip() per
counter based on creation time state, unless somebody has a better idea.
I could possibly only anonymize IRQ context (SoftIRQ context is
difficult since in_softirq() means both in-softirq and
softirq-disabled).
next prev parent reply other threads:[~2009-08-19 14:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-19 9:18 [PATCH 0/4] perf counter bits Peter Zijlstra
2009-08-19 9:18 ` [PATCH 1/4] perf_counter: Default to higher paranoia level Peter Zijlstra
2009-08-19 14:07 ` Peter Zijlstra [this message]
2009-08-19 16:04 ` Frederic Weisbecker
2009-08-20 12:00 ` Peter Zijlstra
2009-08-21 14:21 ` Ingo Molnar
2009-08-24 7:29 ` Peter Zijlstra
2009-08-24 7:37 ` Ingo Molnar
2009-08-19 9:18 ` [PATCH 2/4] perf_counter: powerpc: Support the anonymized kernel callchain bits Peter Zijlstra
2009-08-19 13:30 ` [tip:perfcounters/core] perf_counter: powerpc: Support the anonimized " tip-bot for Peter Zijlstra
2009-08-19 9:18 ` [PATCH 3/4] perf tools: Check perf.data owner Peter Zijlstra
2009-08-19 13:32 ` [tip:perfcounters/core] " tip-bot for Peter Zijlstra
2009-08-19 9:18 ` [PATCH 4/4][RFC] perf_counter: Allow sharing of output channels Peter Zijlstra
2009-08-19 10:58 ` Ingo Molnar
2009-08-19 11:07 ` Peter Zijlstra
2009-08-19 12:41 ` Paul Mackerras
2009-08-19 12:36 ` Paul Mackerras
2009-08-19 12:56 ` Ingo Molnar
2009-08-19 12:56 ` Peter Zijlstra
2009-08-19 13:00 ` Ingo Molnar
2009-08-20 10:13 ` stephane eranian
2009-08-20 10:24 ` Peter Zijlstra
2009-08-20 10:28 ` Ingo Molnar
2009-08-19 16:19 ` Frederic Weisbecker
2009-08-19 16:24 ` Peter Zijlstra
2009-08-19 16:27 ` Frederic Weisbecker
2009-08-25 7:39 ` [tip:perfcounters/core] " tip-bot for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1250690853.8282.59.camel@twins \
--to=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=efault@gmx.de \
--cc=fweisbec@gmail.com \
--cc=jens.axboe@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.