Re: [PATCH 1/4] perf_counter: Default to higher paranoia level

[Peter Zijlstra]

On Wed, 2009-08-19 at 11:18 +0200, Peter Zijlstra wrote:

> +static inline bool perf_paranoid_anon(void)
> +{
> +	return !capable(CAP_SYS_ADMIN) && sysctl_perf_counter_paranoid > 1;
>  }
>  
>  static inline bool perf_paranoid_kernel(void)
>  {
> -	return sysctl_perf_counter_paranoid > 1;
> +	return !capable(CAP_SYS_ADMIN) && sysctl_perf_counter_paranoid > 2;
> +}

OK, this is buggy:

 - capable() uses current, which is unlikely to be counter->owner,
 - but even security_real_capable(counter->owner, ...) wouldn't
   work, since the ->capable() callback isn't NMI safe
   (selinux takes locks and does allocations in that path).

This puts a severe strain on more complex anonymizers since its
basically impossible to tell if counter->owner has permissions on
current from NMI context.

I'll fix up this patch to pre-compute the perf_paranoid_anon_ip() per
counter based on creation time state, unless somebody has a better idea.

I could possibly only anonymize IRQ context (SoftIRQ context is
difficult since in_softirq() means both in-softirq and
softirq-disabled).



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/