On Tue, Aug 01, 2017 at 11:30:04PM -0700, Yonghong Song wrote:
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 426c2ff..623c977 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -8050,7 +8050,7 @@ static void perf_event_free_bpf_handler(struct
> perf_event *event)
>
> static int perf_event_set_bpf_prog(struct perf_event *event, u32 prog_fd)
> {
> - bool is_kprobe, is_tracepoint;
> + bool is_cap_any, is_kprobe, is_tracepoint;
> struct bpf_prog *prog;
>
> if (event->attr.type != PERF_TYPE_TRACEPOINT)
> @@ -8059,9 +8059,11 @@ static int perf_event_set_bpf_prog(struct perf_event
> *event, u32 prog_fd)
> if (event->tp_event->prog)
> return -EEXIST;
>
> + /* currently, CAP_ANY only for sys_enter_* and sys_exit_* tracepoints */
> + is_cap_any = event->tp_event->flags & TRACE_EVENT_FL_CAP_ANY;
> is_kprobe = event->tp_event->flags & TRACE_EVENT_FL_UKPROBE;
> is_tracepoint = event->tp_event->flags & TRACE_EVENT_FL_TRACEPOINT;
> - if (!is_kprobe && !is_tracepoint)
> + if (!is_cap_any && !is_kprobe && !is_tracepoint)
> /* bpf programs can only be attached to u/kprobe or tracepoint
> */
> return -EINVAL;
>
> @@ -8070,7 +8072,8 @@ static int perf_event_set_bpf_prog(struct perf_event
> *event, u32 prog_fd)
> return PTR_ERR(prog);
>
> if ((is_kprobe && prog->type != BPF_PROG_TYPE_KPROBE) ||
> - (is_tracepoint && prog->type != BPF_PROG_TYPE_TRACEPOINT)) {
> + (is_tracepoint && prog->type != BPF_PROG_TYPE_TRACEPOINT) ||
> + (is_cap_any && prog->type != BPF_PROG_TYPE_TRACEPOINT)) {
> /* valid fd, but invalid bpf program type */
> bpf_prog_put(prog);
> return -EINVAL;
This looks wrong. FL_CAP_ANY is a privilege thing, not something that
identifies syscall hooks (it just so happens only those now have the bit
set, but that's an accident more than anything else).
