From: Ben Hutchings <ben@decadent.org.uk>
To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
Date: Mon, 11 Jan 2016 15:23:55 +0000 [thread overview]
Message-ID: <20160111152355.GS28542@decadent.org.uk> (raw)
In-Reply-To: <20160111151958.GQ28542@decadent.org.uk>
[-- Attachment #1: Type: text/plain, Size: 3944 bytes --]
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
I made a similar change to Debian's kernel packages in August,
including the more restrictive default, and no-one has complained yet.
Ben.
Documentation/sysctl/kernel.txt | 4 +++-
include/linux/perf_event.h | 5 +++++
kernel/events/core.c | 8 ++++++++
security/Kconfig | 9 +++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 88a2c8e..76e2ca8 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -629,12 +629,14 @@ allowed to execute.
perf_event_paranoid:
Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN). The default value is 1.
+users (without CAP_SYS_ADMIN). The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+>=3: Disallow all event access by users without CAP_SYS_ADMIN
==============================================================
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index f9828a4..aa72940 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
loff_t *ppos);
+static inline bool perf_paranoid_any(void)
+{
+ return sysctl_perf_event_paranoid > 2;
+}
+
static inline bool perf_paranoid_tracepoint_raw(void)
{
return sysctl_perf_event_paranoid > -1;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index cfc227c..85bc810 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
+ * 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 1;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
diff --git a/security/Kconfig b/security/Kconfig
index e452378..30a2603 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
Date: Mon, 11 Jan 2016 15:23:55 +0000 [thread overview]
Message-ID: <20160111152355.GS28542@decadent.org.uk> (raw)
In-Reply-To: <20160111151958.GQ28542@decadent.org.uk>
[-- Attachment #1: Type: text/plain, Size: 3944 bytes --]
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
I made a similar change to Debian's kernel packages in August,
including the more restrictive default, and no-one has complained yet.
Ben.
Documentation/sysctl/kernel.txt | 4 +++-
include/linux/perf_event.h | 5 +++++
kernel/events/core.c | 8 ++++++++
security/Kconfig | 9 +++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 88a2c8e..76e2ca8 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -629,12 +629,14 @@ allowed to execute.
perf_event_paranoid:
Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN). The default value is 1.
+users (without CAP_SYS_ADMIN). The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+>=3: Disallow all event access by users without CAP_SYS_ADMIN
==============================================================
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index f9828a4..aa72940 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
loff_t *ppos);
+static inline bool perf_paranoid_any(void)
+{
+ return sysctl_perf_event_paranoid > 2;
+}
+
static inline bool perf_paranoid_tracepoint_raw(void)
{
return sysctl_perf_event_paranoid > -1;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index cfc227c..85bc810 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
+ * 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 1;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
diff --git a/security/Kconfig b/security/Kconfig
index e452378..30a2603 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
next prev parent reply other threads:[~2016-01-11 15:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 15:19 [kernel-hardening] [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
2016-01-11 15:19 ` Ben Hutchings
2016-01-11 15:21 ` [kernel-hardening] [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
2016-01-11 15:21 ` Ben Hutchings
2016-01-11 15:23 ` Ben Hutchings [this message]
2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
2016-04-13 16:12 ` [kernel-hardening] " Kees Cook
2016-06-04 20:49 ` Jeffrey Vander Stoep
2016-06-16 22:27 ` Kees Cook
2016-06-17 6:54 ` Peter Zijlstra
2016-06-17 16:16 ` Daniel Micay
2016-06-17 20:00 ` Arnaldo Carvalho de Melo
2016-06-18 0:51 ` Daniel Micay
2016-06-04 20:56 ` Jeffrey Vander Stoep
2016-06-17 5:56 ` [kernel-hardening] " Alexander Shishkin
2016-06-17 5:56 ` Alexander Shishkin
2016-06-17 12:18 ` [kernel-hardening] " Ben Hutchings
2016-06-17 12:18 ` Ben Hutchings
2016-06-17 15:24 ` [kernel-hardening] " Daniel Micay
2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
2016-01-21 14:25 ` Arnaldo Carvalho de Melo
2016-02-03 10:08 ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160111152355.GS28542@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.