On 12/5/19 9:04 AM, Dominick Grift wrote:
I am also trying out the new perf_event access vectors. I use the perf util for this.
Whilst I wwas confining `perf` at some point there were no avc denials anymore but `perf` was segfaulting in enforcing mode.
After some brute force it turns out that it wanted access to cap_syslog.
My question: why was it not logging the capability2 syslog event?
Could this be due to an access vectors ordering issue?
Sometimes capability checks are not audited by the kernel because a
denial is not fatal to the operation; it just causes the kernel to fall
back to an unprivileged code path or provide a hashed or NULL value for
sensitive data. Offhand, I'd guess you are hitting one of these two checks:
./kernel/kallsyms.c: if (has_capability_noaudit(current, CAP_SYSLOG))
./lib/vsprintf.c: if (!has_capability_noaudit(current, CAP_SYSLOG) ||
In these cases, you'll end up with NULL pointer values to avoid leaking
kernel pointers to userspace, and perf apparently doesn't bother
checking before dereferencing them.
