I was surprised to notice that, by default, every task has permission to use rdpmc. seccomp cannot work around this. This leaks information, although the information leaked is of dubious and variable value to an attacker. It also renders the PR_TSC_SEGV mechanism mostly useless.
Would it make sense to restrict rdpmc to tasks that are in mms that have a perf_event mapping? After all, unless I misunderstand something, user code can't reliably use rdpmc unless they've mapped a perf_event object to check the rdpmc bit and figure out what ecx value to use. I think that this could be implemented with very little overhead, especially if combined with the existing CR4_TSD code and if that code were taught to avoid reading cr4. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
