src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch

   1 From: Jeff Vander Stoep <jeffv@google.com>
   2 Date: Wed, 27 Jul 2016 07:45:46 -0700
   3 Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com>
   4 Subject: [kernel-hardening] [PATCH 1/2] security,
   5         perf: allow further restriction of perf_event_open
   6
   7 When kernel.perf_event_paranoid is set to 3 (or greater), disallow
   8 all access to performance events by users without CAP_SYS_ADMIN.
   9
  10 This new level of restriction is intended to reduce the attack
  11 surface of the kernel. Perf is a valuable tool for developers but
  12 is generally unnecessary and unused on production systems. Perf may
  13 open up an attack vector to vulnerable device-specific drivers as
  14 recently demonstrated in CVE-2016-0805, CVE-2016-0819,
  15 CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of
  16 restriction allows for a safe default to be set on production systems
  17 while leaving a simple means for developers to grant access [1].
  18
  19 This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad
  20 Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches
  21 have been modified and split up to address on-list feedback.
  22
  23 kernel.perf_event_paranoid=3 is the default on both Debian [2] and
  24 Android [3].
  25
  26 [1] Making perf available to developers on Android:
  27 https://android-review.googlesource.com/#/c/234400/
  28 [2] Original patch by Ben Hutchings:
  29 https://lkml.org/lkml/2016/1/11/587
  30 [3] https://android-review.googlesource.com/#/c/234743/
  31
  32 Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
  33 Reviewed-by: Kees Cook <keescook@chromium.org>
  34 ---
  35  Documentation/sysctl/kernel.txt | 1 +
  36  include/linux/perf_event.h      | 5 +++++
  37  kernel/events/core.c            | 4 ++++
  38  3 files changed, 10 insertions(+)
  39
  40 diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h
  41 --- linux-5.15.22.orig/include/linux/perf_event.h       2022-02-11 15:39:26.163576222 +0000
  42 +++ linux-5.15.22/include/linux/perf_event.h    2022-02-11 15:42:16.719697397 +0000
  43 @@ -1346,6 +1346,11 @@
  44         return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
  45  }
  46
  47 +static inline bool perf_paranoid_any(void)
  48 +{
  49 +       return sysctl_perf_event_paranoid > 2;
  50 +}
  51 +
  52  extern void perf_event_init(void);
  53  extern void perf_tp_event(u16 event_type, u64 count, void *record,
  54                           int entry_size, struct pt_regs *regs,
  55 diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c
  56 --- linux-5.15.22.orig/kernel/events/core.c     2022-02-11 15:39:27.667683028 +0000
  57 +++ linux-5.15.22/kernel/events/core.c  2022-02-11 15:42:16.723697680 +0000
  58 @@ -414,6 +414,7 @@
  59   *   0 - disallow raw tracepoint access for unpriv
  60   *   1 - disallow cpu events for unpriv
  61   *   2 - disallow kernel profiling for unpriv
  62 + *   3 - disallow all unpriv perf event use
  63   */
  64  int sysctl_perf_event_paranoid __read_mostly = 2;
  65
  66 @@ -12090,6 +12091,9 @@
  67         if (err)
  68                 return err;
  69
  70 +       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
  71 +                               return -EACCES;
  72 +
  73         err = perf_copy_attr(attr_uptr, &attr);
  74         if (err)
  75                 return err;