From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 Date: Thu, 2 Jun 2022 18:58:41 +0300 From: Andrey Savchenko To: ALT Linux kernel packages development Message-Id: <20220602185841.5c4c9d6f8655cdacbdb5decb@altlinux.org> In-Reply-To: <20220602124038.ov7aoh5qcbrvc4ei@altlinux.org> References: <20220602003100.524482-1-vt@altlinux.org> <20220602071438.GA5852@altlinux.org> <20220602124038.ov7aoh5qcbrvc4ei@altlinux.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-alt-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Thu__2_Jun_2022_18_58_41_+0300_hEORtszepSg6e0BN" Subject: Re: [d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2022 15:58:51 -0000 Archived-At: List-Archive: List-Post: --Signature=_Thu__2_Jun_2022_18_58_41_+0300_hEORtszepSg6e0BN Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, 2 Jun 2022 15:40:38 +0300 Vitaly Chikunov wrote: > Dmitry, >=20 > On Thu, Jun 02, 2022 at 10:14:38AM +0300, Dmitry V. Levin wrote: > > On Thu, Jun 02, 2022 at 03:31:00AM +0300, Vitaly Chikunov wrote: > > > From: Ben Hutchings > > >=20 > > > https://lkml.org/lkml/2016/1/11/587 > > >=20 > > > The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the > > > option to disable perf_event_open() entirely for unprivileged users. > > > This standalone version doesn't include making the variable read-only > > > (or renaming it). > > >=20 > > > When kernel.perf_event_open is set to 3 (or greater), disallow all > > ----------------------------------------^ > >=20 > > > access to performance events by users without CAP_SYS_ADMIN. > > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > > > makes this value the default. > > >=20 > > > This is based on a similar feature in grsecurity > > > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > > > the variable read-only. It also allows enabling further restriction > > > at run-time regardless of whether the default is changed. > > >=20 > > > Signed-off-by: Ben Hutchings > > > Signed-off-by: Tim Gardner > > > [ saf: resolve conflicts with v5.8-rc1 ] > > > Signed-off-by: Seth Forshee > > > [ vt: Make it default y. ] > > > Signed-off-by: Vitaly Chikunov > > > --- > > > include/linux/perf_event.h | 6 ++++++ > > > kernel/events/core.c | 8 ++++++++ > > > security/Kconfig | 10 ++++++++++ > > > 3 files changed, 24 insertions(+) > > >=20 > > > diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h > > > index 733649184b27..b00607abbcdf 100644 > > > --- a/include/linux/perf_event.h > > > +++ b/include/linux/perf_event.h > > > @@ -1342,6 +1342,12 @@ int perf_event_max_stack_handler(struct ctl_ta= ble *table, int write, > > > #define PERF_SECURITY_CPU 1 > > > #define PERF_SECURITY_KERNEL 2 > > > #define PERF_SECURITY_TRACEPOINT 3 > > > +#define PERF_SECURITY_MAX 4 > > ----------------------------------------^ > >=20 > > > + > > > +static inline bool perf_paranoid_any(void) > > > +{ > > > + return sysctl_perf_event_paranoid >=3D PERF_SECURITY_MAX; > > > +} > > > =20 > > > static inline int perf_is_paranoid(void) > > > { > > > diff --git a/kernel/events/core.c b/kernel/events/core.c > > > index 2d7a23a7507b..15a3b37ae213 100644 > > > --- a/kernel/events/core.c > > > +++ b/kernel/events/core.c > > > @@ -414,8 +414,13 @@ static struct kmem_cache *perf_event_cache; > > > * 0 - disallow raw tracepoint access for unpriv > > > * 1 - disallow cpu events for unpriv > > > * 2 - disallow kernel profiling for unpriv > > > + * 4 - disallow all unpriv perf event use > > --------^ > >=20 > > > */ > > > +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT > > > +int sysctl_perf_event_paranoid __read_mostly =3D PERF_SECURITY_MAX; > > > +#else > > > int sysctl_perf_event_paranoid __read_mostly =3D 2; > > > +#endif > > > =20 > > > /* Minimum for 512 kiB + 1 user control page */ > > > int sysctl_perf_event_mlock __read_mostly =3D 512 + (PAGE_SIZE / 102= 4); /* 'free' kiB per user */ > > > @@ -12148,6 +12153,9 @@ SYSCALL_DEFINE5(perf_event_open, > > > if (err) > > > return err; > > > =20 > > > + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) > > > + return -EACCES; > > > + > > > err =3D perf_copy_attr(attr_uptr, &attr); > > > if (err) > > > return err; > > > diff --git a/security/Kconfig b/security/Kconfig > > > index 6c7b35c941c7..4861085a2d49 100644 > > > --- a/security/Kconfig > > > +++ b/security/Kconfig > > > @@ -19,6 +19,16 @@ config SECURITY_DMESG_RESTRICT > > > =20 > > > If you are unsure how to answer this question, answer N. > > > =20 > > > +config SECURITY_PERF_EVENTS_RESTRICT > > > + bool "Restrict unprivileged use of performance events" > > > + depends on PERF_EVENTS > > > + default y > > > + help > > > + If you say Y here, the kernel.perf_event_paranoid sysctl > > > + will be set to 3 by default, and no unprivileged use of the > > -------------------------^ >=20 > =D0=AF =D1=8D=D1=82=D0=BE =D0=B7=D0=B0=D0=BC=D0=B5=D1=82=D0=B8=D0=BB, =D0= =BD=D0=BE, =D0=B4=D1=83=D0=BC=D0=B0=D1=8E, =D1=82=D0=B0=D0=BA =D0=BD=D0=B0= =D0=B4=D0=BE =D0=B8 =D0=BE=D1=81=D1=82=D0=B0=D0=B2=D0=B8=D1=82=D1=8C. =D0=9C=D0=BE=D0=B6=D0=BD=D0=BE =D0=BF=D0=BE=D1=8F=D1=81=D0=BD=D0=B8=D1=82= =D1=8C =D0=B7=D0=B0=D1=87=D0=B5=D0=BC? =D0=9A=D0=B0=D0=BA=D0=B8=D0=B5 =D0= =B7=D0=B0=D0=B4=D0=B0=D1=87=D0=B8 =D0=BF=D0=BB=D0=B0=D0=BD=D0=B8=D1=80=D1= =83=D0=B5=D1=82=D1=81=D1=8F =D1=8D=D1=82=D0=B8=D0=BC =D1=80=D0=B5=D1=88=D0= =B8=D1=82=D1=8C? =D0=A1=D1=87=D0=B8=D1=82=D0=B0=D0=B5=D1=82=D1=81=D1=8F =D0=BB=D0=B8 =D0=BD= =D0=BE=D1=80=D0=BC=D0=B0=D0=BB=D1=8C=D0=BD=D1=8B=D0=BC, =D1=87=D1=82=D0=BE = =D0=BF=D1=80=D0=BE=D1=84=D0=B8=D0=BB=D0=B8=D1=80=D0=BE=D0=B2=D0=B0=D1=82=D1= =8C =D0=BD=D1=83=D0=B6=D0=BD=D0=BE =D0=B1=D1=83=D0=B4=D0=B5=D1=82 =D0=BF=D0= =BE=D0=B4 =D1=80=D1=83=D1=82=D0=BE=D0=BC? =D0=92=D1=81=D1=91 =D0=B6=D0=B5 =D1=85=D0=BE=D1=82=D0=B5=D0=BB=D0=BE=D1=81= =D1=8C =D0=B1=D1=8B, =D1=87=D1=82=D0=BE=D0=B1 =D0=BF=D0=BE=D0=BB=D1=8C=D0= =B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C =D0=BC=D0=BE=D0=B3 =D0=BF=D0= =BE=D0=BB=D0=BD=D0=BE=D1=86=D0=B5=D0=BD=D0=BD=D0=BE =D0=B7=D0=B0=D0=BD=D0= =B8=D0=BC=D0=B0=D1=82=D1=8C=D1=81=D1=8F =D1=80=D0=B0=D0=B7=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=BA=D0=BE=D0=B9 =D0=B8 = =D0=BE=D1=82=D0=BB=D0=B0=D0=B4=D0=BA=D0=BE=D0=B9 =D0=BF=D1=80=D0=B8=D0=BB= =D0=BE=D0=B6=D0=B5=D0=BD=D0=B8=D0=B9. Best regards, Andrew Savchenko --Signature=_Thu__2_Jun_2022_18_58_41_+0300_hEORtszepSg6e0BN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAmKY3jEACgkQ9lNaM7oe 5I147BAAhxQShrPaRSBXaK6Kh/RKvSXD4EP+BL3zyYUroXaBGAdcuMCrMvHDJJIg zT+aoOpvDLxMLcmwn+07ir8XbzZxXiQFG1dnf7I+uFOedE+0uNBrY8buAWamMRbQ y6b6jIUI8wo/SBQOfVr47OV79hoKPHvtb6hdOhGqByvrv3gpcBV2icQvLauk0Pi5 gx7/c4AkVUuAMICYmPbYc3MX6z+4M1i7J7IVW6SSrgCLU9j1VaixbgYDRi8CCIJn cPWDwClajG9O28WtZp9/wYwS3AkPtooDD59eQBWQmSo3aj2ikS/88kqzO2xh/cKi LOQ8OROpssp0pV4ImpazuSMEmwbx8ZTdRBSVIWOcr8jpI95EmHmCJmItdlCmxtrN AK80Y7n0UlLeQEoFBx0yLH8JOlUxcVptrCM7w1EQBRY8TcFTvLElThNiqdKEtgR7 SqOa6V2ibbM276/LR/yXBsv5d5NLxTp8LMSVfWJsWsYZ1T5aVcHplHtW6G4GpeqV dA4U5Bp2fK15mvH5O4CHip5uRDcYnOlJPumzYbF6npKU3+a0YfRb/gf+NyJwg42K 3Qom5jJ+oYMnQcN1DFQANZ9OA6xCBoognJ5atBPo/8rtXi5bziDgEG3VdxFvix3w iBk1ckUBjw3YYmILK5jA626o5lzbmZtZ74n9jSh5RpireVxeCEk= =yMgS -----END PGP SIGNATURE----- --Signature=_Thu__2_Jun_2022_18_58_41_+0300_hEORtszepSg6e0BN--