projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 400c4e8e PM |
1 | From: Jeff Vander Stoep <jeffv@google.com> |
| 2 | Date: Wed, 27 Jul 2016 07:45:46 -0700 | |
| 3 | Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com> | |
| 4 | Subject: [kernel-hardening] [PATCH 1/2] security, | |
| 5 | perf: allow further restriction of perf_event_open | |
| 6 | ||
| 7 | When kernel.perf_event_paranoid is set to 3 (or greater), disallow | |
| 8 | all access to performance events by users without CAP_SYS_ADMIN. | |
| 9 | ||
| 10 | This new level of restriction is intended to reduce the attack | |
| 11 | surface of the kernel. Perf is a valuable tool for developers but | |
| 12 | is generally unnecessary and unused on production systems. Perf may | |
| 13 | open up an attack vector to vulnerable device-specific drivers as | |
| 14 | recently demonstrated in CVE-2016-0805, CVE-2016-0819, | |
| 15 | CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of | |
| 16 | restriction allows for a safe default to be set on production systems | |
| 17 | while leaving a simple means for developers to grant access [1]. | |
| 18 | ||
| 19 | This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad | |
| 20 | Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches | |
| 21 | have been modified and split up to address on-list feedback. | |
| 22 | ||
| 23 | kernel.perf_event_paranoid=3 is the default on both Debian [2] and | |
| 24 | Android [3]. | |
| 25 | ||
| 26 | [1] Making perf available to developers on Android: | |
| 27 | https://android-review.googlesource.com/#/c/234400/ | |
| 28 | [2] Original patch by Ben Hutchings: | |
| 29 | https://lkml.org/lkml/2016/1/11/587 | |
| 30 | [3] https://android-review.googlesource.com/#/c/234743/ | |
| 31 | ||
| 32 | Signed-off-by: Jeff Vander Stoep <jeffv@google.com> | |
| 33 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
| 34 | --- | |
| 35 | Documentation/sysctl/kernel.txt | 1 + | |
| 36 | include/linux/perf_event.h | 5 +++++ | |
| 37 | kernel/events/core.c | 4 ++++ | |
| 38 | 3 files changed, 10 insertions(+) | |
| 39 | ||
| 40 | diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h | |
| 41 | --- linux-5.15.22.orig/include/linux/perf_event.h 2022-02-11 15:39:26.163576222 +0000 | |
| 42 | +++ linux-5.15.22/include/linux/perf_event.h 2022-02-11 15:42:16.719697397 +0000 | |
| 43 | @@ -1346,6 +1346,11 @@ | |
| 44 | return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT); | |
| 45 | } | |
| 46 | ||
| 47 | +static inline bool perf_paranoid_any(void) | |
| 48 | +{ | |
| 49 | + return sysctl_perf_event_paranoid > 2; | |
| 50 | +} | |
| 51 | + | |
| 52 | extern void perf_event_init(void); | |
| 53 | extern void perf_tp_event(u16 event_type, u64 count, void *record, | |
| 54 | int entry_size, struct pt_regs *regs, | |
| 55 | diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c | |
| 56 | --- linux-5.15.22.orig/kernel/events/core.c 2022-02-11 15:39:27.667683028 +0000 | |
| 57 | +++ linux-5.15.22/kernel/events/core.c 2022-02-11 15:42:16.723697680 +0000 | |
| 58 | @@ -414,6 +414,7 @@ | |
| 59 | * 0 - disallow raw tracepoint access for unpriv | |
| 60 | * 1 - disallow cpu events for unpriv | |
| 61 | * 2 - disallow kernel profiling for unpriv | |
| 62 | + * 3 - disallow all unpriv perf event use | |
| 63 | */ | |
| 64 | int sysctl_perf_event_paranoid __read_mostly = 2; | |
| 65 | ||
| 66 | @@ -12090,6 +12091,9 @@ | |
| 67 | if (err) | |
| 68 | return err; | |
| 69 | ||
| 70 | + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) | |
| 71 | + return -EACCES; | |
| 72 | + | |
| 73 | err = perf_copy_attr(attr_uptr, &attr); | |
| 74 | if (err) | |
| 75 | return err; |