CINXE.COM

LKML: Ben Hutchings: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Ben Hutchings: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Ben Hutchings" href="/groupie.php?aid=40282" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2016"> [2016]</a> 聽 <a class="nb" href="/lkml/2016/1"> [Jan]</a> 聽 <a class="nb" href="/lkml/2016/1/11"> [11]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2016/1/11/587" onclick="this.href='/lkml/headers'+'/2016/1/11/587';">[headers]</a>聽 <a href="/lkml/bounce/2016/1/11/587">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2016/1/11/561">First message in thread</a></li><li><a href="/lkml/2016/1/11/561">Ben Hutchings</a><ul><li><a href="/lkml/2016/1/11/562">Ben Hutchings</a></li><li class="origin"><a href="/lkml/2016/4/13/605">Ben Hutchings</a><ul><li><a href="/lkml/2016/4/13/605">Kees Cook</a><ul><li><a href="/lkml/2016/6/4/242">Jeffrey Vander Stoep</a></li><li><a href="/lkml/2016/6/16/870">Kees Cook</a><ul><li><a href="/lkml/2016/6/17/101">Peter Zijlstra</a></li></ul></li></ul></li><li><a href="/lkml/2016/6/17/50">Alexander Shishkin</a><ul><li><a href="/lkml/2016/6/17/392">Ben Hutchings</a></li><li><a href="/lkml/2016/6/17/619">Daniel Micay</a></li></ul></li></ul></li><li><a href="/lkml/2016/1/19/603">Ben Hutchings</a><ul><li><a href="/lkml/2016/2/3/266">tip-bot for Ben Hutchings</a></li></ul></li></ul></li></ul><div class="threadlist">Patch in this message</div><ul class="threadlist"><li><a href="/lkml/diff/2016/1/11/587/1">Get diff 1</a></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Mon, 11 Jan 2016 15:23:55 +0000</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Ben Hutchings &lt;&gt;</td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">[PATCH 2/2] security,perf: Allow further restriction of perf_event_open</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">When kernel.perf_event_open is set to 3 (or greater), disallow all<br />access to performance events by users without CAP_SYS_ADMIN.<br />Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that<br />makes this value the default.<br /><br />This is based on a similar feature in grsecurity<br />(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making<br />the variable read-only. It also allows enabling further restriction<br />at run-time regardless of whether the default is changed.<br /><br />Signed-off-by: Ben Hutchings &lt;ben&#64;decadent.org.uk&gt;<br />---<br />I made a similar change to Debian's kernel packages in August,<br />including the more restrictive default, and no-one has complained yet.<br /><br />Ben.<br /><br /> Documentation/sysctl/kernel.txt | 4 +++-<br /> include/linux/perf_event.h | 5 +++++<br /> kernel/events/core.c | 8 ++++++++<br /> security/Kconfig | 9 +++++++++<br /> 4 files changed, 25 insertions(+), 1 deletion(-)<br /><br />diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt<br />index 88a2c8e..76e2ca8 100644<br />--- a/Documentation/sysctl/kernel.txt<br />+++ b/Documentation/sysctl/kernel.txt<br />&#64;&#64; -629,12 +629,14 &#64;&#64; allowed to execute.<br /> perf_event_paranoid:<br /> <br /> Controls use of the performance events system by unprivileged<br />-users (without CAP_SYS_ADMIN). The default value is 1.<br />+users (without CAP_SYS_ADMIN). The default value is 3 if<br />+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.<br /> <br /> -1: Allow use of (almost) all events by all users<br /> &gt;=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK<br /> &gt;=1: Disallow CPU event access by users without CAP_SYS_ADMIN<br /> &gt;=2: Disallow kernel profiling by users without CAP_SYS_ADMIN<br />+&gt;=3: Disallow all event access by users without CAP_SYS_ADMIN<br /> <br /> ==============================================================<br /> <br />diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h<br />index f9828a4..aa72940 100644<br />--- a/include/linux/perf_event.h<br />+++ b/include/linux/perf_event.h<br />&#64;&#64; -989,6 +989,11 &#64;&#64; extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,<br /> loff_t *ppos);<br /> <br /> <br />+static inline bool perf_paranoid_any(void)<br />+{<br />+ return sysctl_perf_event_paranoid &gt; 2;<br />+}<br />+<br /> static inline bool perf_paranoid_tracepoint_raw(void)<br /> {<br /> return sysctl_perf_event_paranoid &gt; -1;<br />diff --git a/kernel/events/core.c b/kernel/events/core.c<br />index cfc227c..85bc810 100644<br />--- a/kernel/events/core.c<br />+++ b/kernel/events/core.c<br />&#64;&#64; -175,8 +175,13 &#64;&#64; static struct srcu_struct pmus_srcu;<br /> * 0 - disallow raw tracepoint access for unpriv<br /> * 1 - disallow cpu events for unpriv<br /> * 2 - disallow kernel profiling for unpriv<br />+ * 3 - disallow all unpriv perf event use<br /> */<br />+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT<br />+int sysctl_perf_event_paranoid __read_mostly = 3;<br />+#else<br /> int sysctl_perf_event_paranoid __read_mostly = 1;<br />+#endif<br /> <br /> /* Minimum for 512 kiB + 1 user control page */<br /> int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */<br />&#64;&#64; -8265,6 +8270,9 &#64;&#64; SYSCALL_DEFINE5(perf_event_open,<br /> if (flags &amp; ~PERF_FLAG_ALL)<br /> return -EINVAL;<br /> <br />+ if (perf_paranoid_any() &amp;&amp; !capable(CAP_SYS_ADMIN))<br />+ return -EACCES;<br />+<br /> err = perf_copy_attr(attr_uptr, &amp;attr);<br /> if (err)<br /> return err;<br />diff --git a/security/Kconfig b/security/Kconfig<br />index e452378..30a2603 100644<br />--- a/security/Kconfig<br />+++ b/security/Kconfig<br />&#64;&#64; -18,6 +18,15 &#64;&#64; config SECURITY_DMESG_RESTRICT<br /> <br /> If you are unsure how to answer this question, answer N.<br /> <br />+config SECURITY_PERF_EVENTS_RESTRICT<br />+ bool "Restrict unprivileged use of performance events"<br />+ depends on PERF_EVENTS<br />+ help<br />+ If you say Y here, the kernel.perf_event_paranoid sysctl<br />+ will be set to 3 by default, and no unprivileged use of the<br />+ perf_event_open syscall will be permitted unless it is<br />+ changed.<br />+<br /> config SECURITY<br /> bool "Enable different security models"<br /> depends on SYSFS[unhandled content-type:application/pgp-signature]</pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2016-01-11 16:41 聽聽 [from the cache]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10