1 From: Jeff Vander Stoep <jeffv@google.com>
2 Date: Wed, 27 Jul 2016 07:45:46 -0700
3 Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com>
4 Subject: [kernel-hardening] [PATCH 1/2] security,
5 perf: allow further restriction of perf_event_open
7 When kernel.perf_event_paranoid is set to 3 (or greater), disallow
8 all access to performance events by users without CAP_SYS_ADMIN.
10 This new level of restriction is intended to reduce the attack
11 surface of the kernel. Perf is a valuable tool for developers but
12 is generally unnecessary and unused on production systems. Perf may
13 open up an attack vector to vulnerable device-specific drivers as
14 recently demonstrated in CVE-2016-0805, CVE-2016-0819,
15 CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of
16 restriction allows for a safe default to be set on production systems
17 while leaving a simple means for developers to grant access [1].
19 This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad
20 Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches
21 have been modified and split up to address on-list feedback.
23 kernel.perf_event_paranoid=3 is the default on both Debian [2] and
26 [1] Making perf available to developers on Android:
27 https://android-review.googlesource.com/#/c/234400/
28 [2] Original patch by Ben Hutchings:
29 https://lkml.org/lkml/2016/1/11/587
30 [3] https://android-review.googlesource.com/#/c/234743/
32 Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
33 Reviewed-by: Kees Cook <keescook@chromium.org>
35 Documentation/sysctl/kernel.txt | 1 +
36 include/linux/perf_event.h | 5 +++++
37 kernel/events/core.c | 4 ++++
38 3 files changed, 10 insertions(+)
40 diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h
41 --- linux-5.15.22.orig/include/linux/perf_event.h 2022-02-11 15:39:26.163576222 +0000
42 +++ linux-5.15.22/include/linux/perf_event.h 2022-02-11 15:42:16.719697397 +0000
43 @@ -1346,6 +1346,11 @@
44 return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
47 +static inline bool perf_paranoid_any(void)
49 + return sysctl_perf_event_paranoid > 2;
52 extern void perf_event_init(void);
53 extern void perf_tp_event(u16 event_type, u64 count, void *record,
54 int entry_size, struct pt_regs *regs,
55 diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c
56 --- linux-5.15.22.orig/kernel/events/core.c 2022-02-11 15:39:27.667683028 +0000
57 +++ linux-5.15.22/kernel/events/core.c 2022-02-11 15:42:16.723697680 +0000
59 * 0 - disallow raw tracepoint access for unpriv
60 * 1 - disallow cpu events for unpriv
61 * 2 - disallow kernel profiling for unpriv
62 + * 3 - disallow all unpriv perf event use
64 int sysctl_perf_event_paranoid __read_mostly = 2;
66 @@ -12090,6 +12091,9 @@
70 + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
73 err = perf_copy_attr(attr_uptr, &attr);