Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4419429pxv; Tue, 27 Jul 2021 07:01:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxYBYLF+OfC/HTzvcBhfw+S1/Igz50fVxtrPG8fwSwD+zvxjSNRGWU61SdaeEZkrZ+RXEpV X-Received: by 2002:a05:6638:3048:: with SMTP id u8mr21488694jak.91.1627394468422; Tue, 27 Jul 2021 07:01:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627394468; cv=none; d=google.com; s=arc-20160816; b=QB0igGe9ANgX94zohFx/pxP1PgsMQFq4jlpWADxdU93rb83WRgs/AYJp1fiEDDVrnT 7OHivteegEqmOzO2Z8iiV/mrnCnPAmAXx6JbIXp7I+X2LCiOUqNXEVj61Lzgiitr5Yid PMSwv2GlaY2txKDN7hQagfNUuXAJ6xyo1WiYgZnap7QDry0suzhHMx6rL+tdEFqitoy6 lwZwNtBj3caZWK7tIpPQKBG4+obndTC7HcTpqcPtSdS4Q4pHt9k9TqHTGd9Z5gn2GyOb ZdnhjQRmn5vBxqGntDbT7DmNIe35XxYsz5a2Mjc/wNE2dHJwCNyKGANpWfU5H878oVVQ XhvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:sender:from:dkim-signature:dkim-signature:date; bh=G/NERakUa3tNBRiJaH0wo8QN/gj+iXhgbtmLMYOHAr0=; b=nZh7Y2Ye+AQhcpRD9sFcoOsX9bOCsO8T9PZSRU64Xffe2HyylDE+WjUzTN/+5mhfa/ igLtNdwUO7oQ3H+22V1saSupzyrQh+ooVmZ80BDc4vSgNrIjFLMRDdQdYrMuyZ1XnHw+ 4Ihp/ZM1bgfNmpdeEzbeYBMW8U4axFYGyRattSmpPULFkzz8rDFQhnbBMOOCi+MbJa7E kt8uAIme+agXJP76WJzt6ODjjr8Jgcc1ZfNMizugoves9NHGvSZ+5B51fC+tydGjb4nV tK2Rvp6OU/UQm4hLkfnYp50U0YodqefX7E5aQSjuwZ45cIbEdsjv1cmb06KiKSnJbFc8 6sMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=N2pztbHE; dkim=neutral (no key) header.i=@linutronix.de header.b=DYukTkVw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l7si3861739iow.27.2021.07.27.07.00.55; Tue, 27 Jul 2021 07:01:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=N2pztbHE; dkim=neutral (no key) header.i=@linutronix.de header.b=DYukTkVw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236623AbhG0N7a (ORCPT + 99 others); Tue, 27 Jul 2021 09:59:30 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:51476 "EHLO galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236661AbhG0N65 (ORCPT ); Tue, 27 Jul 2021 09:58:57 -0400 Date: Tue, 27 Jul 2021 13:58:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1627394336; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G/NERakUa3tNBRiJaH0wo8QN/gj+iXhgbtmLMYOHAr0=; b=N2pztbHEGumMB56D/GZ1mFVaV1QzKKpudw8w7y7B3oDDn8hdeI8YGrJxqnV8ofVTVgGLFy YdA4OWGEz6Tsdry8NO/hyJQa4yxPTQG58uif5+hYrNfxSpJOOesq8LFGfL8n6Db5e/Hc2s TVKVuhqJ4ZrsMHeIxG6UWPbT0HnByESrRUSIoTf+sA6y59U5wub8bcF/9nrsu4AVZOxc3y B5AdzItcXfCAv+hAMJ2csB4cFXNCAVwy+z2piLvkuy2eEHzQOviPhniaon+lLB0zSNvTG8 dRwd79gp/6NekQXaFYjjofcnV4fJXZhH3sio9d+YchbB8fDo081apnJHiCP8Eg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1627394336; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G/NERakUa3tNBRiJaH0wo8QN/gj+iXhgbtmLMYOHAr0=; b=DYukTkVwtc9YdZh/ybLr/qt2So5poRJg5zKg1TFb9syf4dIy5Ld2Q2f4630fuK01vjUiUx e9iBmZRFmpJNyvDw== From: "tip-bot2 for Marco Elver" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: perf/urgent] perf: Refactor permissions check into perf_check_permission() Cc: Marco Elver , "Peter Zijlstra (Intel)" , Dmitry Vyukov , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20210705084453.2151729-2-elver@google.com> References: <20210705084453.2151729-2-elver@google.com> MIME-Version: 1.0 Message-ID: <162739433584.395.14125645089713310487.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the perf/urgent branch of tip: Commit-ID: b068fc04de10fff8974f6ef32b861ad134d94ba4 Gitweb: https://git.kernel.org/tip/b068fc04de10fff8974f6ef32b861ad134d94ba4 Author: Marco Elver AuthorDate: Mon, 05 Jul 2021 10:44:53 +02:00 Committer: Peter Zijlstra CommitterDate: Fri, 16 Jul 2021 18:46:38 +02:00 perf: Refactor permissions check into perf_check_permission() Refactor the permission check in perf_event_open() into a helper perf_check_permission(). This makes the permission check logic more readable (because we no longer have a negated disjunction). Add a comment mentioning the ptrace check also checks the uid. No functional change intended. Signed-off-by: Marco Elver Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dmitry Vyukov Link: https://lore.kernel.org/r/20210705084453.2151729-2-elver@google.com --- kernel/events/core.c | 58 +++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 26 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index c13730b..1cb1f9b 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -11917,6 +11917,37 @@ again: return gctx; } +static bool +perf_check_permission(struct perf_event_attr *attr, struct task_struct *task) +{ + unsigned int ptrace_mode = PTRACE_MODE_READ_REALCREDS; + bool is_capable = perfmon_capable(); + + if (attr->sigtrap) { + /* + * perf_event_attr::sigtrap sends signals to the other task. + * Require the current task to also have CAP_KILL. + */ + rcu_read_lock(); + is_capable &= ns_capable(__task_cred(task)->user_ns, CAP_KILL); + rcu_read_unlock(); + + /* + * If the required capabilities aren't available, checks for + * ptrace permissions: upgrade to ATTACH, since sending signals + * can effectively change the target task. + */ + ptrace_mode = PTRACE_MODE_ATTACH_REALCREDS; + } + + /* + * Preserve ptrace permission check for backwards compatibility. The + * ptrace check also includes checks that the current task and other + * task have matching uids, and is therefore not done here explicitly. + */ + return is_capable || ptrace_may_access(task, ptrace_mode); +} + /** * sys_perf_event_open - open a performance event, associate it to a task/cpu * @@ -12158,43 +12189,18 @@ SYSCALL_DEFINE5(perf_event_open, } if (task) { - unsigned int ptrace_mode = PTRACE_MODE_READ_REALCREDS; - bool is_capable; - err = down_read_interruptible(&task->signal->exec_update_lock); if (err) goto err_file; - is_capable = perfmon_capable(); - if (attr.sigtrap) { - /* - * perf_event_attr::sigtrap sends signals to the other - * task. Require the current task to also have - * CAP_KILL. - */ - rcu_read_lock(); - is_capable &= ns_capable(__task_cred(task)->user_ns, CAP_KILL); - rcu_read_unlock(); - - /* - * If the required capabilities aren't available, checks - * for ptrace permissions: upgrade to ATTACH, since - * sending signals can effectively change the target - * task. - */ - ptrace_mode = PTRACE_MODE_ATTACH_REALCREDS; - } - /* - * Preserve ptrace permission check for backwards compatibility. - * * We must hold exec_update_lock across this and any potential * perf_install_in_context() call for this new event to * serialize against exec() altering our credentials (and the * perf_event_exit_task() that could imply). */ err = -EACCES; - if (!is_capable && !ptrace_may_access(task, ptrace_mode)) + if (!perf_check_permission(&attr, task)) goto err_cred; }