From: "Dmitry V. Levin" <ldv@altlinux.org> To: devel-kernel@lists.altlinux.org Subject: Re: [d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open Date: Thu, 2 Jun 2022 10:14:38 +0300 Message-ID: <20220602071438.GA5852@altlinux.org> (raw) In-Reply-To: <20220602003100.524482-1-vt@altlinux.org> On Thu, Jun 02, 2022 at 03:31:00AM +0300, Vitaly Chikunov wrote: > From: Ben Hutchings <ben@decadent.org.uk> > > https://lkml.org/lkml/2016/1/11/587 > > The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the > option to disable perf_event_open() entirely for unprivileged users. > This standalone version doesn't include making the variable read-only > (or renaming it). > > When kernel.perf_event_open is set to 3 (or greater), disallow all ----------------------------------------^ > access to performance events by users without CAP_SYS_ADMIN. > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > makes this value the default. > > This is based on a similar feature in grsecurity > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > the variable read-only. It also allows enabling further restriction > at run-time regardless of whether the default is changed. > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > [ saf: resolve conflicts with v5.8-rc1 ] > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [ vt: Make it default y. ] > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > --- > include/linux/perf_event.h | 6 ++++++ > kernel/events/core.c | 8 ++++++++ > security/Kconfig | 10 ++++++++++ > 3 files changed, 24 insertions(+) > > diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h > index 733649184b27..b00607abbcdf 100644 > --- a/include/linux/perf_event.h > +++ b/include/linux/perf_event.h > @@ -1342,6 +1342,12 @@ int perf_event_max_stack_handler(struct ctl_table *table, int write, > #define PERF_SECURITY_CPU 1 > #define PERF_SECURITY_KERNEL 2 > #define PERF_SECURITY_TRACEPOINT 3 > +#define PERF_SECURITY_MAX 4 ----------------------------------------^ > + > +static inline bool perf_paranoid_any(void) > +{ > + return sysctl_perf_event_paranoid >= PERF_SECURITY_MAX; > +} > > static inline int perf_is_paranoid(void) > { > diff --git a/kernel/events/core.c b/kernel/events/core.c > index 2d7a23a7507b..15a3b37ae213 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -414,8 +414,13 @@ static struct kmem_cache *perf_event_cache; > * 0 - disallow raw tracepoint access for unpriv > * 1 - disallow cpu events for unpriv > * 2 - disallow kernel profiling for unpriv > + * 4 - disallow all unpriv perf event use --------^ > */ > +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT > +int sysctl_perf_event_paranoid __read_mostly = PERF_SECURITY_MAX; > +#else > int sysctl_perf_event_paranoid __read_mostly = 2; > +#endif > > /* Minimum for 512 kiB + 1 user control page */ > int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ > @@ -12148,6 +12153,9 @@ SYSCALL_DEFINE5(perf_event_open, > if (err) > return err; > > + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) > + return -EACCES; > + > err = perf_copy_attr(attr_uptr, &attr); > if (err) > return err; > diff --git a/security/Kconfig b/security/Kconfig > index 6c7b35c941c7..4861085a2d49 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -19,6 +19,16 @@ config SECURITY_DMESG_RESTRICT > > If you are unsure how to answer this question, answer N. > > +config SECURITY_PERF_EVENTS_RESTRICT > + bool "Restrict unprivileged use of performance events" > + depends on PERF_EVENTS > + default y > + help > + If you say Y here, the kernel.perf_event_paranoid sysctl > + will be set to 3 by default, and no unprivileged use of the -------------------------^ -- ldv
next prev parent reply other threads:[~2022-06-02 7:14 UTC|newest] Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-06-02 0:31 Vitaly Chikunov 2022-06-02 7:14 ` Dmitry V. Levin [this message] 2022-06-02 12:40 ` Vitaly Chikunov 2022-06-02 13:29 ` Vitaly Chikunov 2022-06-02 15:58 ` Andrey Savchenko 2022-06-02 17:06 ` Vitaly Chikunov 2022-06-02 18:26 ` Vladimir D. Seleznev 2022-06-02 18:42 ` Andrey Savchenko 2022-06-02 18:56 ` Dmitry V. Levin 2022-06-03 6:27 ` Andrey Savchenko 2022-06-02 19:08 ` Vladimir D. Seleznev 2022-06-03 6:16 ` Andrey Savchenko 2022-06-03 12:41 ` Vladimir D. Seleznev 2022-06-03 12:54 ` Andrey Savchenko 2022-06-02 15:15 ` Alexey Sheplyakov 2022-06-02 16:39 ` Dmitry V. Levin 2022-06-03 6:25 ` Andrey Savchenko 2022-06-03 15:07 ` Vitaly Chikunov 2022-06-05 7:48 ` Alexey Sheplyakov 2022-06-05 7:59 ` Dmitry V. Levin 2022-06-06 14:31 ` Alexey Sheplyakov 2022-06-05 13:04 ` Vladimir D. Seleznev 2022-06-06 9:20 ` Alexey Sheplyakov 2022-06-06 10:31 ` Andrey Savchenko 2022-06-06 12:10 ` Alexey Sheplyakov 2022-06-06 12:53 ` Vladimir D. Seleznev 2022-06-06 12:59 ` Vladimir D. Seleznev 2022-06-08 14:27 ` [d-kernel] right to profile (Re: [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open) Alexey Sheplyakov 2022-06-15 11:19 ` [d-kernel] [JT] Re: right to profile Michael Shigorin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220602071438.GA5852@altlinux.org \ --to=ldv@altlinux.org \ --cc=devel-kernel@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux kernel packages development This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \ devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com public-inbox-index devel-kernel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git