]>
Commit | Line | Data |
---|---|---|
400c4e8e PM |
1 | From: Jeff Vander Stoep <jeffv@google.com> |
2 | Date: Wed, 27 Jul 2016 07:45:46 -0700 | |
3 | Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com> | |
4 | Subject: [kernel-hardening] [PATCH 1/2] security, | |
5 | perf: allow further restriction of perf_event_open | |
6 | ||
7 | When kernel.perf_event_paranoid is set to 3 (or greater), disallow | |
8 | all access to performance events by users without CAP_SYS_ADMIN. | |
9 | ||
10 | This new level of restriction is intended to reduce the attack | |
11 | surface of the kernel. Perf is a valuable tool for developers but | |
12 | is generally unnecessary and unused on production systems. Perf may | |
13 | open up an attack vector to vulnerable device-specific drivers as | |
14 | recently demonstrated in CVE-2016-0805, CVE-2016-0819, | |
15 | CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of | |
16 | restriction allows for a safe default to be set on production systems | |
17 | while leaving a simple means for developers to grant access [1]. | |
18 | ||
19 | This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad | |
20 | Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches | |
21 | have been modified and split up to address on-list feedback. | |
22 | ||
23 | kernel.perf_event_paranoid=3 is the default on both Debian [2] and | |
24 | Android [3]. | |
25 | ||
26 | [1] Making perf available to developers on Android: | |
27 | https://android-review.googlesource.com/#/c/234400/ | |
28 | [2] Original patch by Ben Hutchings: | |
29 | https://lkml.org/lkml/2016/1/11/587 | |
30 | [3] https://android-review.googlesource.com/#/c/234743/ | |
31 | ||
32 | Signed-off-by: Jeff Vander Stoep <jeffv@google.com> | |
33 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
34 | --- | |
35 | Documentation/sysctl/kernel.txt | 1 + | |
36 | include/linux/perf_event.h | 5 +++++ | |
37 | kernel/events/core.c | 4 ++++ | |
38 | 3 files changed, 10 insertions(+) | |
39 | ||
40 | diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h | |
41 | --- linux-5.15.22.orig/include/linux/perf_event.h 2022-02-11 15:39:26.163576222 +0000 | |
42 | +++ linux-5.15.22/include/linux/perf_event.h 2022-02-11 15:42:16.719697397 +0000 | |
43 | @@ -1346,6 +1346,11 @@ | |
44 | return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT); | |
45 | } | |
46 | ||
47 | +static inline bool perf_paranoid_any(void) | |
48 | +{ | |
49 | + return sysctl_perf_event_paranoid > 2; | |
50 | +} | |
51 | + | |
52 | extern void perf_event_init(void); | |
53 | extern void perf_tp_event(u16 event_type, u64 count, void *record, | |
54 | int entry_size, struct pt_regs *regs, | |
55 | diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c | |
56 | --- linux-5.15.22.orig/kernel/events/core.c 2022-02-11 15:39:27.667683028 +0000 | |
57 | +++ linux-5.15.22/kernel/events/core.c 2022-02-11 15:42:16.723697680 +0000 | |
58 | @@ -414,6 +414,7 @@ | |
59 | * 0 - disallow raw tracepoint access for unpriv | |
60 | * 1 - disallow cpu events for unpriv | |
61 | * 2 - disallow kernel profiling for unpriv | |
62 | + * 3 - disallow all unpriv perf event use | |
63 | */ | |
64 | int sysctl_perf_event_paranoid __read_mostly = 2; | |
65 | ||
66 | @@ -12090,6 +12091,9 @@ | |
67 | if (err) | |
68 | return err; | |
69 | ||
70 | + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) | |
71 | + return -EACCES; | |
72 | + | |
73 | err = perf_copy_attr(attr_uptr, &attr); | |
74 | if (err) | |
75 | return err; |