From: Jeff Vander Stoep <jeffv@google.com> To: kernel-hardening@lists.openwall.com Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org, alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Vander Stoep <jeffv@google.com> Subject: [PATCH 1/2] security, perf: allow further restriction of perf_event_open Date: Wed, 27 Jul 2016 07:45:46 -0700 [thread overview] Message-ID: <1469630746-32279-1-git-send-email-jeffv@google.com> (raw) When kernel.perf_event_paranoid is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. This new level of restriction is intended to reduce the attack surface of the kernel. Perf is a valuable tool for developers but is generally unnecessary and unused on production systems. Perf may open up an attack vector to vulnerable device-specific drivers as recently demonstrated in CVE-2016-0805, CVE-2016-0819, CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of restriction allows for a safe default to be set on production systems while leaving a simple means for developers to grant access [1]. This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches have been modified and split up to address on-list feedback. kernel.perf_event_paranoid=3 is the default on both Debian [2] and Android [3]. [1] Making perf available to developers on Android: https://android-review.googlesource.com/#/c/234400/ [2] Original patch by Ben Hutchings: https://lkml.org/lkml/2016/1/11/587 [3] https://android-review.googlesource.com/#/c/234743/ Signed-off-by: Jeff Vander Stoep <jeffv@google.com> --- Documentation/sysctl/kernel.txt | 1 + include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index ffab8b5..fac9798 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -665,6 +665,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 8ed43261..1e2080f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) return sysctl_perf_event_paranoid > 1; } +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + extern void perf_event_init(void); extern void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, struct pt_regs *regs, diff --git a/kernel/events/core.c b/kernel/events/core.c index 356a6c7..52bd100 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ int sysctl_perf_event_paranoid __read_mostly = 2; @@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -- 2.8.0.rc3.226.g39d4020
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Vander Stoep <jeffv@google.com> To: kernel-hardening@lists.openwall.com Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org, alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Vander Stoep <jeffv@google.com> Subject: [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open Date: Wed, 27 Jul 2016 07:45:46 -0700 [thread overview] Message-ID: <1469630746-32279-1-git-send-email-jeffv@google.com> (raw) When kernel.perf_event_paranoid is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. This new level of restriction is intended to reduce the attack surface of the kernel. Perf is a valuable tool for developers but is generally unnecessary and unused on production systems. Perf may open up an attack vector to vulnerable device-specific drivers as recently demonstrated in CVE-2016-0805, CVE-2016-0819, CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of restriction allows for a safe default to be set on production systems while leaving a simple means for developers to grant access [1]. This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches have been modified and split up to address on-list feedback. kernel.perf_event_paranoid=3 is the default on both Debian [2] and Android [3]. [1] Making perf available to developers on Android: https://android-review.googlesource.com/#/c/234400/ [2] Original patch by Ben Hutchings: https://lkml.org/lkml/2016/1/11/587 [3] https://android-review.googlesource.com/#/c/234743/ Signed-off-by: Jeff Vander Stoep <jeffv@google.com> --- Documentation/sysctl/kernel.txt | 1 + include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index ffab8b5..fac9798 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -665,6 +665,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 8ed43261..1e2080f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) return sysctl_perf_event_paranoid > 1; } +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + extern void perf_event_init(void); extern void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, struct pt_regs *regs, diff --git a/kernel/events/core.c b/kernel/events/core.c index 356a6c7..52bd100 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ int sysctl_perf_event_paranoid __read_mostly = 2; @@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -- 2.8.0.rc3.226.g39d4020
next reply other threads:[~2016-07-27 14:45 UTC|newest] Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-07-27 14:45 Jeff Vander Stoep [this message] 2016-07-27 14:45 ` [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open Jeff Vander Stoep 2016-07-27 20:43 ` Kees Cook 2016-07-27 20:43 ` Kees Cook 2016-08-02 9:52 ` Peter Zijlstra 2016-08-02 9:52 ` [kernel-hardening] " Peter Zijlstra 2016-08-02 13:04 ` Arnaldo Carvalho de Melo 2016-08-02 13:04 ` [kernel-hardening] " Arnaldo Carvalho de Melo 2016-08-02 13:10 ` Daniel Micay 2016-08-02 13:16 ` Daniel Micay 2016-08-02 19:04 ` Kees Cook 2016-08-02 19:04 ` Kees Cook 2016-08-02 20:30 ` Peter Zijlstra 2016-08-02 20:30 ` Peter Zijlstra 2016-08-02 20:51 ` Kees Cook 2016-08-02 20:51 ` Kees Cook 2016-08-02 21:06 ` Jeffrey Vander Stoep 2016-08-03 8:28 ` Ingo Molnar 2016-08-03 8:28 ` Ingo Molnar 2016-08-03 12:28 ` Daniel Micay 2016-08-03 12:53 ` Daniel Micay 2016-08-03 13:36 ` Peter Zijlstra 2016-08-03 14:41 ` Peter Zijlstra 2016-08-03 14:41 ` Peter Zijlstra 2016-08-03 15:42 ` Schaufler, Casey 2016-08-03 15:42 ` Schaufler, Casey 2016-08-03 17:25 ` Eric W. Biederman 2016-08-03 17:25 ` Eric W. Biederman 2016-08-03 18:53 ` Kees Cook 2016-08-03 18:53 ` Kees Cook 2016-08-03 21:44 ` Peter Zijlstra 2016-08-03 21:44 ` Peter Zijlstra 2016-08-04 2:50 ` Eric W. Biederman 2016-08-04 2:50 ` Eric W. Biederman 2016-08-04 9:11 ` Peter Zijlstra 2016-08-04 9:11 ` Peter Zijlstra 2016-08-04 15:13 ` Eric W. Biederman 2016-08-04 15:13 ` Eric W. Biederman 2016-08-04 15:37 ` Peter Zijlstra 2016-08-04 15:37 ` Peter Zijlstra 2016-08-03 19:36 ` Daniel Micay 2016-08-04 10:28 ` Mark Rutland 2016-08-04 13:45 ` Daniel Micay 2016-08-04 14:11 ` Peter Zijlstra 2016-08-04 15:44 ` Daniel Micay 2016-08-04 15:55 ` Peter Zijlstra 2016-08-04 16:10 ` Mark Rutland 2016-08-04 16:32 ` Daniel Micay 2016-08-04 17:09 ` Mark Rutland 2016-08-04 17:36 ` Daniel Micay 2016-08-02 21:16 ` Jeffrey Vander Stoep 2016-08-02 21:16 ` Jeffrey Vander Stoep 2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland 2016-10-17 14:54 ` Daniel Micay 2016-10-19 9:41 ` Mark Rutland 2016-10-19 15:16 ` Daniel Micay 2016-10-18 20:48 ` Kees Cook 2016-10-18 20:48 ` Kees Cook 2016-10-18 21:15 ` Daniel Micay 2016-10-19 9:56 ` Mark Rutland 2016-10-19 10:01 ` Peter Zijlstra 2016-10-19 10:26 ` Arnaldo Carvalho de Melo 2016-10-19 10:40 ` Peter Zijlstra 2016-10-19 15:39 ` Daniel Micay
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1469630746-32279-1-git-send-email-jeffv@google.com \ --to=jeffv@google.com \ --cc=acme@kernel.org \ --cc=alexander.shishkin@linux.intel.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mingo@redhat.com \ --cc=peterz@infradead.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.