From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CA3AC32751 for ; Thu, 8 Aug 2019 00:09:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D4FDA217D7 for ; Thu, 8 Aug 2019 00:09:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DdNVqYf2" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389834AbfHHAJB (ORCPT ); Wed, 7 Aug 2019 20:09:01 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:34635 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389719AbfHHAI1 (ORCPT ); Wed, 7 Aug 2019 20:08:27 -0400 Received: by mail-vs1-f73.google.com with SMTP id x22so23658682vsj.1 for ; Wed, 07 Aug 2019 17:08:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=wWUVtXS/AXD8335Dh0MfmfyjjxhSNslzhtjFi/unWYg=; b=DdNVqYf2plZN2kFlxuLhjtuWgXV8nm1gqJlf97T8/uot+/jaf1l90CprMRuBIm7xA8 VYaRWGfMozlZ0zi/w8YA51Hh/y+9qBV6iXNBdePVkg/sDgT9NEVyXH0lPlgX3vY5F6RW Ug+ylmGoY9yf9ILn3vJ1NZaONO0mdn/TbdCjm3B8uoV3r/8Gm7rISK+G0lWADAZtre0Z pEr8J5UFhOLT4Y5TKH+mAoKVke8ovg8ipF4UbWDLGX/xGDQ+xsU5EnbAXQNtkXyj7Skr Ih1a7z3Zs1TBZJdE+SOw6CU/yhIkcrbYCP4xstObpW3RBdf5krwSl2Zy7EQGS/VQqiQ1 h0rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=wWUVtXS/AXD8335Dh0MfmfyjjxhSNslzhtjFi/unWYg=; b=BSD/YKU6iSrKqxeYFpogXZLRvXFQ/T19J9LjcMcogeNnndjljQ0DvMp5r3MCpx8FBL 0kO3LLUVFaqhEEhJMyzTtdbidaYmFDeINjn78CETMorX4v7k0aDBPnGaR/YcyVYRwIc4 c/IucYuOgbopgqHcz0XuGUZc0bMZXdCtKzUqfYl02MAui6Pad8uZzKQUKNynMHf0t5vf 2BbVH+61D1jQ+9lv9ZWjk4Ym0ZXulROOgjqi7n6Lq4GWGGDDikvn/s6cB1hCJ8n0Wqqi GrcIEsA0Q3q1TynS8Hqa+D1yezMEhAtcoea3a9n22enOYD9dCSSOvHN+5+Ylc2kSq9qC 6fBw== X-Gm-Message-State: APjAAAVDAijkKb7VOisYLTOV+47kNyuCi77ktr0AeOqnyd1Pz8DJChus BP3cpXYAhtXU0Gs63o3/SLLA639/yp1Bw5QLJl0+Zw== X-Google-Smtp-Source: APXvYqyxitklonktuhTk+1mcdmR320NSTCDOmTIQ4olyD+HJafcsfRdiGKNYDfexQo7EkUdQUykMv/dJMQOjq6/JJ9k+4w== X-Received: by 2002:a1f:b0b:: with SMTP id 11mr4694030vkl.64.1565222906414; Wed, 07 Aug 2019 17:08:26 -0700 (PDT) Date: Wed, 7 Aug 2019 17:07:16 -0700 In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com> Message-Id: <20190808000721.124691-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190808000721.124691-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V38 24/29] Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 8dd1741a52cd..8ef366de70b0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -119,6 +119,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index c1f52a749db2..5c520b60163a 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10826,6 +10826,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 1b89d3e8e54d..fb437a7ef5f2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog