Kernel: Block non-UID-0 profiling completely

This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.

The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.

Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index c8c775d13c03cda69f2abfb0508cede599b14d36..5fc3e3d892cf8fec333c44979336cb78e01b7da6 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
 
 # Include PID in file names of generated core dumps
 kernel.core_uses_pid = 1
+
+# Block non-uid-0 profiling
+kernel.perf_event_paranoid = 3

diff --git a/lfs/linux b/lfs/linux
index bd9e0cc6506f80223ef274ea2a3ef2794e5d6eef..018892f7f2b056f6b08de97c9cce734491e9fe6d 100644 (file)
--- a/lfs/linux
+++ b/lfs/linux
@@ -137,6 +137,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # fix Boot with enabled usercopy hardening
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
 
+       # Patch performance monitoring restrictions to allow further hardening
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
        # Apply Arm-multiarch kernel patches.
        cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1

diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
new file mode 100644 (file)
index 0000000..8a578e0
--- /dev/null
+++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
@@ -0,0 +1,75 @@
+From: Jeff Vander Stoep <jeffv@google.com>
+Date: Wed, 27 Jul 2016 07:45:46 -0700
+Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com>
+Subject: [kernel-hardening] [PATCH 1/2] security,
+       perf: allow further restriction of perf_event_open
+
+When kernel.perf_event_paranoid is set to 3 (or greater), disallow
+all access to performance events by users without CAP_SYS_ADMIN.
+
+This new level of restriction is intended to reduce the attack
+surface of the kernel. Perf is a valuable tool for developers but
+is generally unnecessary and unused on production systems. Perf may
+open up an attack vector to vulnerable device-specific drivers as
+recently demonstrated in CVE-2016-0805, CVE-2016-0819,
+CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of
+restriction allows for a safe default to be set on production systems
+while leaving a simple means for developers to grant access [1].
+
+This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad
+Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches
+have been modified and split up to address on-list feedback.
+
+kernel.perf_event_paranoid=3 is the default on both Debian [2] and
+Android [3].
+
+[1] Making perf available to developers on Android:
+https://android-review.googlesource.com/#/c/234400/
+[2] Original patch by Ben Hutchings:
+https://lkml.org/lkml/2016/1/11/587
+[3] https://android-review.googlesource.com/#/c/234743/
+
+Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+---
+ Documentation/sysctl/kernel.txt | 1 +
+ include/linux/perf_event.h      | 5 +++++
+ kernel/events/core.c            | 4 ++++
+ 3 files changed, 10 insertions(+)
+
+diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h
+--- linux-5.15.22.orig/include/linux/perf_event.h      2022-02-11 15:39:26.163576222 +0000
++++ linux-5.15.22/include/linux/perf_event.h   2022-02-11 15:42:16.719697397 +0000
+@@ -1346,6 +1346,11 @@
+       return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
+ }
+ 
++static inline bool perf_paranoid_any(void)
++{
++      return sysctl_perf_event_paranoid > 2;
++}
++
+ extern void perf_event_init(void);
+ extern void perf_tp_event(u16 event_type, u64 count, void *record,
+                         int entry_size, struct pt_regs *regs,
+diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c
+--- linux-5.15.22.orig/kernel/events/core.c    2022-02-11 15:39:27.667683028 +0000
++++ linux-5.15.22/kernel/events/core.c 2022-02-11 15:42:16.723697680 +0000
+@@ -414,6 +414,7 @@
+  *   0 - disallow raw tracepoint access for unpriv
+  *   1 - disallow cpu events for unpriv
+  *   2 - disallow kernel profiling for unpriv
++ *   3 - disallow all unpriv perf event use
+  */
+ int sysctl_perf_event_paranoid __read_mostly = 2;
+ 
+@@ -12090,6 +12091,9 @@
+       if (err)
+               return err;
+ 
++      if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++                              return -EACCES;
++
+       err = perf_copy_attr(attr_uptr, &attr);
+       if (err)
+               return err;