• Andy Lutomirski's avatar
    perf/x86: Only allow rdpmc if a perf_event is mapped · 7911d3f7
    Andy Lutomirski authored
    We currently allow any process to use rdpmc.  This significantly
    weakens the protection offered by PR_TSC_DISABLED, and it could be
    helpful to users attempting to exploit timing attacks.
    
    Since we can't enable access to individual counters, use a very
    coarse heuristic to limit access to rdpmc: allow access only when
    a perf_event is mmapped.  This protects seccomp sandboxes.
    
    There is plenty of room to further tighen these restrictions.  For
    example, this allows rdpmc for any x86_pmu event, but it's only
    useful for self-monitoring tasks.
    
    As a side effect, cap_user_rdpmc will now be false for AMD uncore
    events.  This isn't a real regression, since .event_idx is disabled
    for these events anyway for the time being.  Whenever that gets
    re-added, the cap_user_rdpmc code can be adjusted or refactored
    accordingly.
    Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Vince Weaver <vince@deater.net>
    Cc: "hillf.zj" <hillf.zj@alibaba-inc.com>
    Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/a2bdb3cf3a1d70c26980d7c6dddfbaa69f3182bf.1414190806.git.luto@amacapital.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    7911d3f7
perf_event.h 20.5 KB