* [PATCH 0/2] Document and extend kernel.perf_event_paranoid @ 2016-01-11 15:19 Ben Hutchings 2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings ` (2 more replies) 0 siblings, 3 replies; 16+ messages in thread From: Ben Hutchings @ 2016-01-11 15:19 UTC (permalink / raw) To: linux-doc, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 553 bytes --] This moves documentation for the kernel.perf_event_paranoid to the Documentation directory, then adds a more paranoid level. Ben. Ben Hutchings (2): Documentation,perf: Document the perf sysctls security,perf: Allow further restriction of perf_event_open Documentation/sysctl/kernel.txt | 15 +++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 8 ++++++++ security/Kconfig | 9 +++++++++ tools/perf/util/evsel.c | 7 ++----- 5 files changed, 39 insertions(+), 5 deletions(-) [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 811 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 1/2] Documentation,perf: Document the perf sysctls 2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings @ 2016-01-11 15:21 ` Ben Hutchings 2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings 2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings 2 siblings, 0 replies; 16+ messages in thread From: Ben Hutchings @ 2016-01-11 15:21 UTC (permalink / raw) To: linux-doc, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 2383 bytes --] perf_event_paranoid was only documented in source code and a perf error message. Move the documentation from the error message to Documentation/sysctl/kernel.txt. perf_cpu_time_max_percent was already documented but missing from the list at the top, so add it there. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> --- Documentation/sysctl/kernel.txt | 13 +++++++++++++ tools/perf/util/evsel.c | 7 ++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index af70d15..88a2c8e 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -58,6 +58,8 @@ show up in /proc/sys/kernel: - panic_on_stackoverflow - panic_on_unrecovered_nmi - panic_on_warn +- perf_cpu_time_max_percent +- perf_event_paranoid - pid_max - powersave-nap [ PPC only ] - printk @@ -624,6 +626,17 @@ allowed to execute. ============================================================== +perf_event_paranoid: + +Controls use of the performance events system by unprivileged +users (without CAP_SYS_ADMIN). The default value is 1. + + -1: Allow use of (almost) all events by all users +>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK +>=1: Disallow CPU event access by users without CAP_SYS_ADMIN +>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN + +============================================================== pid_max: diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index 397fb4e..9b4df11 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target, case EACCES: return scnprintf(msg, size, "You may not have permission to collect %sstats.\n" - "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n" - " -1 - Not paranoid at all\n" - " 0 - Disallow raw tracepoint access for unpriv\n" - " 1 - Disallow cpu events for unpriv\n" - " 2 - Disallow kernel profiling for unpriv", + "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n" + "see Documentation/sysctl/kernel.txt", target->system_wide ? "system-wide " : ""); case ENOENT: return scnprintf(msg, size, "The %s event is not supported.", [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 811 bytes --] ^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings 2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings @ 2016-01-11 15:23 ` Ben Hutchings 2016-04-13 16:12 ` [kernel-hardening] " Kees Cook 2016-06-17 5:56 ` Alexander Shishkin 2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings 2 siblings, 2 replies; 16+ messages in thread From: Ben Hutchings @ 2016-01-11 15:23 UTC (permalink / raw) To: linux-doc, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 3944 bytes --] When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> --- I made a similar change to Debian's kernel packages in August, including the more restrictive default, and no-one has complained yet. Ben. Documentation/sysctl/kernel.txt | 4 +++- include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 8 ++++++++ security/Kconfig | 9 +++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 88a2c8e..76e2ca8 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -629,12 +629,14 @@ allowed to execute. perf_event_paranoid: Controls use of the performance events system by unprivileged -users (without CAP_SYS_ADMIN). The default value is 1. +users (without CAP_SYS_ADMIN). The default value is 3 if +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. -1: Allow use of (almost) all events by all users >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index f9828a4..aa72940 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, loff_t *ppos); +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + static inline bool perf_paranoid_tracepoint_raw(void) { return sysctl_perf_event_paranoid > -1; diff --git a/kernel/events/core.c b/kernel/events/core.c index cfc227c..85bc810 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT +int sysctl_perf_event_paranoid __read_mostly = 3; +#else int sysctl_perf_event_paranoid __read_mostly = 1; +#endif /* Minimum for 512 kiB + 1 user control page */ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, &attr); if (err) return err; diff --git a/security/Kconfig b/security/Kconfig index e452378..30a2603 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the + perf_event_open syscall will be permitted unless it is + changed. + config SECURITY bool "Enable different security models" depends on SYSFS [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 811 bytes --] ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings @ 2016-04-13 16:12 ` Kees Cook 2016-06-04 20:56 ` Jeffrey Vander Stoep [not found] ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com> 2016-06-17 5:56 ` Alexander Shishkin 1 sibling, 2 replies; 16+ messages in thread From: Kees Cook @ 2016-04-13 16:12 UTC (permalink / raw) To: kernel-hardening; +Cc: linux-doc, LKML On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk> wrote: > When kernel.perf_event_open is set to 3 (or greater), disallow all > access to performance events by users without CAP_SYS_ADMIN. > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > makes this value the default. > > This is based on a similar feature in grsecurity > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > the variable read-only. It also allows enabling further restriction > at run-time regardless of whether the default is changed. > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Whoops, I entirely missed this email! Just found it now. Ben, can you resend this with Perf maintainers in CC? This seems sensible enough to me. -Kees > --- > I made a similar change to Debian's kernel packages in August, > including the more restrictive default, and no-one has complained yet. > > Ben. > > Documentation/sysctl/kernel.txt | 4 +++- > include/linux/perf_event.h | 5 +++++ > kernel/events/core.c | 8 ++++++++ > security/Kconfig | 9 +++++++++ > 4 files changed, 25 insertions(+), 1 deletion(-) > > diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt > index 88a2c8e..76e2ca8 100644 > --- a/Documentation/sysctl/kernel.txt > +++ b/Documentation/sysctl/kernel.txt > @@ -629,12 +629,14 @@ allowed to execute. > perf_event_paranoid: > > Controls use of the performance events system by unprivileged > -users (without CAP_SYS_ADMIN). The default value is 1. > +users (without CAP_SYS_ADMIN). The default value is 3 if > +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. > > -1: Allow use of (almost) all events by all users > >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK > >=1: Disallow CPU event access by users without CAP_SYS_ADMIN > >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN > +>=3: Disallow all event access by users without CAP_SYS_ADMIN > > ============================================================== > > diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h > index f9828a4..aa72940 100644 > --- a/include/linux/perf_event.h > +++ b/include/linux/perf_event.h > @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, > loff_t *ppos); > > > +static inline bool perf_paranoid_any(void) > +{ > + return sysctl_perf_event_paranoid > 2; > +} > + > static inline bool perf_paranoid_tracepoint_raw(void) > { > return sysctl_perf_event_paranoid > -1; > diff --git a/kernel/events/core.c b/kernel/events/core.c > index cfc227c..85bc810 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu; > * 0 - disallow raw tracepoint access for unpriv > * 1 - disallow cpu events for unpriv > * 2 - disallow kernel profiling for unpriv > + * 3 - disallow all unpriv perf event use > */ > +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT > +int sysctl_perf_event_paranoid __read_mostly = 3; > +#else > int sysctl_perf_event_paranoid __read_mostly = 1; > +#endif > > /* Minimum for 512 kiB + 1 user control page */ > int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ > @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open, > if (flags & ~PERF_FLAG_ALL) > return -EINVAL; > > + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) > + return -EACCES; > + > err = perf_copy_attr(attr_uptr, &attr); > if (err) > return err; > diff --git a/security/Kconfig b/security/Kconfig > index e452378..30a2603 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT > > If you are unsure how to answer this question, answer N. > > +config SECURITY_PERF_EVENTS_RESTRICT > + bool "Restrict unprivileged use of performance events" > + depends on PERF_EVENTS > + help > + If you say Y here, the kernel.perf_event_paranoid sysctl > + will be set to 3 by default, and no unprivileged use of the > + perf_event_open syscall will be permitted unless it is > + changed. > + > config SECURITY > bool "Enable different security models" > depends on SYSFS -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-04-13 16:12 ` [kernel-hardening] " Kees Cook @ 2016-06-04 20:56 ` Jeffrey Vander Stoep [not found] ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com> 1 sibling, 0 replies; 16+ messages in thread From: Jeffrey Vander Stoep @ 2016-06-04 20:56 UTC (permalink / raw) To: kernel-hardening; +Cc: linux-doc, LKML Acked-by: Jeff Vander Stoep <jeffv@google.com> In addition to Debian, this patch has been merged into AOSP and is a requirement for Android: https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keescook@chromium.org> wrote: > On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk> wrote: >> When kernel.perf_event_open is set to 3 (or greater), disallow all >> access to performance events by users without CAP_SYS_ADMIN. >> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that >> makes this value the default. >> >> This is based on a similar feature in grsecurity >> (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making >> the variable read-only. It also allows enabling further restriction >> at run-time regardless of whether the default is changed. >> >> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > > Whoops, I entirely missed this email! Just found it now. > > Ben, can you resend this with Perf maintainers in CC? This seems > sensible enough to me. > > -Kees > >> --- >> I made a similar change to Debian's kernel packages in August, >> including the more restrictive default, and no-one has complained yet. >> >> Ben. >> >> Documentation/sysctl/kernel.txt | 4 +++- >> include/linux/perf_event.h | 5 +++++ >> kernel/events/core.c | 8 ++++++++ >> security/Kconfig | 9 +++++++++ >> 4 files changed, 25 insertions(+), 1 deletion(-) >> >> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt >> index 88a2c8e..76e2ca8 100644 >> --- a/Documentation/sysctl/kernel.txt >> +++ b/Documentation/sysctl/kernel.txt >> @@ -629,12 +629,14 @@ allowed to execute. >> perf_event_paranoid: >> >> Controls use of the performance events system by unprivileged >> -users (without CAP_SYS_ADMIN). The default value is 1. >> +users (without CAP_SYS_ADMIN). The default value is 3 if >> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. >> >> -1: Allow use of (almost) all events by all users >> >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >> >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >> >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN >> +>=3: Disallow all event access by users without CAP_SYS_ADMIN >> >> ============================================================== >> >> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h >> index f9828a4..aa72940 100644 >> --- a/include/linux/perf_event.h >> +++ b/include/linux/perf_event.h >> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, >> loff_t *ppos); >> >> >> +static inline bool perf_paranoid_any(void) >> +{ >> + return sysctl_perf_event_paranoid > 2; >> +} >> + >> static inline bool perf_paranoid_tracepoint_raw(void) >> { >> return sysctl_perf_event_paranoid > -1; >> diff --git a/kernel/events/core.c b/kernel/events/core.c >> index cfc227c..85bc810 100644 >> --- a/kernel/events/core.c >> +++ b/kernel/events/core.c >> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu; >> * 0 - disallow raw tracepoint access for unpriv >> * 1 - disallow cpu events for unpriv >> * 2 - disallow kernel profiling for unpriv >> + * 3 - disallow all unpriv perf event use >> */ >> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT >> +int sysctl_perf_event_paranoid __read_mostly = 3; >> +#else >> int sysctl_perf_event_paranoid __read_mostly = 1; >> +#endif >> >> /* Minimum for 512 kiB + 1 user control page */ >> int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ >> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open, >> if (flags & ~PERF_FLAG_ALL) >> return -EINVAL; >> >> + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) >> + return -EACCES; >> + >> err = perf_copy_attr(attr_uptr, &attr); >> if (err) >> return err; >> diff --git a/security/Kconfig b/security/Kconfig >> index e452378..30a2603 100644 >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT >> >> If you are unsure how to answer this question, answer N. >> >> +config SECURITY_PERF_EVENTS_RESTRICT >> + bool "Restrict unprivileged use of performance events" >> + depends on PERF_EVENTS >> + help >> + If you say Y here, the kernel.perf_event_paranoid sysctl >> + will be set to 3 by default, and no unprivileged use of the >> + perf_event_open syscall will be permitted unless it is >> + changed. >> + >> config SECURITY >> bool "Enable different security models" >> depends on SYSFS > > > > -- > Kees Cook > Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>]
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open [not found] ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com> @ 2016-06-16 22:27 ` Kees Cook 2016-06-17 6:54 ` Peter Zijlstra 0 siblings, 1 reply; 16+ messages in thread From: Kees Cook @ 2016-06-16 22:27 UTC (permalink / raw) To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin Cc: linux-doc, kernel-hardening, LKML Hi guys, This patch wasn't originally CCed to you (I'm fixing that now). Would you consider taking this into the perf tree? It's been in active use in both Debian and Android for a while now. (If need be, I can resend it.) Thanks! -Kees On Sat, Jun 4, 2016 at 1:49 PM, Jeffrey Vander Stoep <jeffv@google.com> wrote: > Acked-by: Jeff Vander Stoep <jeffv@google.com> > > In addition to Debian, this patch has been merged into AOSP and is a > requirement for Android: > https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT > > > On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keescook@chromium.org> wrote: >> On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk> >> wrote: >>> When kernel.perf_event_open is set to 3 (or greater), disallow all >>> access to performance events by users without CAP_SYS_ADMIN. >>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that >>> makes this value the default. >>> >>> This is based on a similar feature in grsecurity >>> (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making >>> the variable read-only. It also allows enabling further restriction >>> at run-time regardless of whether the default is changed. >>> >>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> >> >> Whoops, I entirely missed this email! Just found it now. >> >> Ben, can you resend this with Perf maintainers in CC? This seems >> sensible enough to me. >> >> -Kees >> >>> --- >>> I made a similar change to Debian's kernel packages in August, >>> including the more restrictive default, and no-one has complained yet. >>> >>> Ben. >>> >>> Documentation/sysctl/kernel.txt | 4 +++- >>> include/linux/perf_event.h | 5 +++++ >>> kernel/events/core.c | 8 ++++++++ >>> security/Kconfig | 9 +++++++++ >>> 4 files changed, 25 insertions(+), 1 deletion(-) >>> >>> diff --git a/Documentation/sysctl/kernel.txt >>> b/Documentation/sysctl/kernel.txt >>> index 88a2c8e..76e2ca8 100644 >>> --- a/Documentation/sysctl/kernel.txt >>> +++ b/Documentation/sysctl/kernel.txt >>> @@ -629,12 +629,14 @@ allowed to execute. >>> perf_event_paranoid: >>> >>> Controls use of the performance events system by unprivileged >>> -users (without CAP_SYS_ADMIN). The default value is 1. >>> +users (without CAP_SYS_ADMIN). The default value is 3 if >>> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. >>> >>> -1: Allow use of (almost) all events by all users >>> >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >>> >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >>> >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN >>> +>=3: Disallow all event access by users without CAP_SYS_ADMIN >>> >>> ============================================================== >>> >>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h >>> index f9828a4..aa72940 100644 >>> --- a/include/linux/perf_event.h >>> +++ b/include/linux/perf_event.h >>> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct >>> ctl_table *table, int write, >>> loff_t *ppos); >>> >>> >>> +static inline bool perf_paranoid_any(void) >>> +{ >>> + return sysctl_perf_event_paranoid > 2; >>> +} >>> + >>> static inline bool perf_paranoid_tracepoint_raw(void) >>> { >>> return sysctl_perf_event_paranoid > -1; >>> diff --git a/kernel/events/core.c b/kernel/events/core.c >>> index cfc227c..85bc810 100644 >>> --- a/kernel/events/core.c >>> +++ b/kernel/events/core.c >>> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu; >>> * 0 - disallow raw tracepoint access for unpriv >>> * 1 - disallow cpu events for unpriv >>> * 2 - disallow kernel profiling for unpriv >>> + * 3 - disallow all unpriv perf event use >>> */ >>> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT >>> +int sysctl_perf_event_paranoid __read_mostly = 3; >>> +#else >>> int sysctl_perf_event_paranoid __read_mostly = 1; >>> +#endif >>> >>> /* Minimum for 512 kiB + 1 user control page */ >>> int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* >>> 'free' kiB per user */ >>> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open, >>> if (flags & ~PERF_FLAG_ALL) >>> return -EINVAL; >>> >>> + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) >>> + return -EACCES; >>> + >>> err = perf_copy_attr(attr_uptr, &attr); >>> if (err) >>> return err; >>> diff --git a/security/Kconfig b/security/Kconfig >>> index e452378..30a2603 100644 >>> --- a/security/Kconfig >>> +++ b/security/Kconfig >>> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT >>> >>> If you are unsure how to answer this question, answer N. >>> >>> +config SECURITY_PERF_EVENTS_RESTRICT >>> + bool "Restrict unprivileged use of performance events" >>> + depends on PERF_EVENTS >>> + help >>> + If you say Y here, the kernel.perf_event_paranoid sysctl >>> + will be set to 3 by default, and no unprivileged use of the >>> + perf_event_open syscall will be permitted unless it is >>> + changed. >>> + >>> config SECURITY >>> bool "Enable different security models" >>> depends on SYSFS >> >> >> >> -- >> Kees Cook >> Chrome OS & Brillo Security > -- Kees Cook Chrome OS & Brillo Security ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-16 22:27 ` Kees Cook @ 2016-06-17 6:54 ` Peter Zijlstra 2016-06-17 16:16 ` Daniel Micay 0 siblings, 1 reply; 16+ messages in thread From: Peter Zijlstra @ 2016-06-17 6:54 UTC (permalink / raw) To: Kees Cook Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin, linux-doc, kernel-hardening, LKML On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > Hi guys, > > This patch wasn't originally CCed to you (I'm fixing that now). Would > you consider taking this into the perf tree? No. > It's been in active use > in both Debian and Android for a while now. Very nice of you all to finally inform us I suppose :/ > >>> When kernel.perf_event_open is set to 3 (or greater), disallow all > >>> access to performance events by users without CAP_SYS_ADMIN. > >>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > >>> makes this value the default. > >>> > >>> This is based on a similar feature in grsecurity > >>> (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > >>> the variable read-only. It also allows enabling further restriction > >>> at run-time regardless of whether the default is changed. This Changelog is completely devoid of information. _WHY_ are you doing this? Also, hate the CONFIG. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-17 6:54 ` Peter Zijlstra @ 2016-06-17 16:16 ` Daniel Micay 2016-06-17 20:00 ` Arnaldo Carvalho de Melo 0 siblings, 1 reply; 16+ messages in thread From: Daniel Micay @ 2016-06-17 16:16 UTC (permalink / raw) To: kernel-hardening, Kees Cook Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin, linux-doc, LKML [-- Attachment #1: Type: text/plain, Size: 1763 bytes --] On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > > Hi guys, > > > > This patch wasn't originally CCed to you (I'm fixing that now). > > Would > > you consider taking this into the perf tree? > > No. > > > It's been in active use > > in both Debian and Android for a while now. > > Very nice of you all to finally inform us I suppose :/ It was in Debian a lot longer than Android, although the Android feature came from a downstream variant where it was done much earlier: https://android-review.googlesource.com/#/c/233736/ > > > > > > > > > > access to performance events by users without CAP_SYS_ADMIN. > > > > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > > > > > makes this value the default. > > > > > > > > > > This is based on a similar feature in grsecurity > > > > > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include > > > > > making > > > > > the variable read-only. It also allows enabling further > > > > > restriction > > > > > at run-time regardless of whether the default is changed. > > This Changelog is completely devoid of information. _WHY_ are you > doing > this? Attack surface reduction. It's possible to use seccomp-bpf for some limited cases, but it's not flexible enough. There are lots of information leaks and local privilege escalation vulnerabilities via perf events, yet on most Linux installs it's not ever being used. So turning it off by default on those installs is an easy win. The holes are reduced to root -> kernel (and that's not a meaningful boundary in mainline right now - although as is the case here, Debian has a bunch of securelevel patches for that). [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-17 16:16 ` Daniel Micay @ 2016-06-17 20:00 ` Arnaldo Carvalho de Melo 2016-06-18 0:51 ` Daniel Micay 0 siblings, 1 reply; 16+ messages in thread From: Arnaldo Carvalho de Melo @ 2016-06-17 20:00 UTC (permalink / raw) To: Daniel Micay Cc: kernel-hardening, Kees Cook, Ingo Molnar, Alexander Shishkin, linux-doc, Jiri Olsa, Thomas Gleixner, Namhyung Kim, David Ahern, LKML Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > This Changelog is completely devoid of information. _WHY_ are you > > doing this? > Attack surface reduction. It's possible to use seccomp-bpf for some > limited cases, but it's not flexible enough. There are lots of > information leaks and local privilege escalation vulnerabilities via > perf events, yet on most Linux installs it's not ever being used. So > turning it off by default on those installs is an easy win. The holes > are reduced to root -> kernel (and that's not a meaningful boundary in > mainline right now - although as is the case here, Debian has a bunch of > securelevel patches for that). Is ptrace also disabled on such systems, or any of the other more recent syscalls? The same arguments could probably be used to disable those: reduce attack surface, possibly the new ones have bugs as they are relatively new and it takes a long time for new syscalls to be more generally used, if we go on disabling them in such a way, they will probably never get used :-\ Wouldn't the recent bump in perf_event_paranoid to 2 enough? I.e. only allow profiling of user tasks? Or is there something more specific that we should disable/constrain to reduce such surface contact without using such a big hammer? - Arnaldo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-17 20:00 ` Arnaldo Carvalho de Melo @ 2016-06-18 0:51 ` Daniel Micay 0 siblings, 0 replies; 16+ messages in thread From: Daniel Micay @ 2016-06-18 0:51 UTC (permalink / raw) To: Arnaldo Carvalho de Melo Cc: kernel-hardening, Kees Cook, Ingo Molnar, Alexander Shishkin, linux-doc, Jiri Olsa, Thomas Gleixner, Namhyung Kim, David Ahern, LKML [-- Attachment #1: Type: text/plain, Size: 3097 bytes --] On Fri, 2016-06-17 at 17:00 -0300, Arnaldo Carvalho de Melo wrote: > Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > > This Changelog is completely devoid of information. _WHY_ are you > > > doing this? > > > Attack surface reduction. It's possible to use seccomp-bpf for some > > limited cases, but it's not flexible enough. There are lots of > > information leaks and local privilege escalation vulnerabilities via > > perf events, yet on most Linux installs it's not ever being used. So > > turning it off by default on those installs is an easy win. The > > holes > > are reduced to root -> kernel (and that's not a meaningful boundary > > in > > mainline right now - although as is the case here, Debian has a > > bunch of > > securelevel patches for that). > > Is ptrace also disabled on such systems, or any of the other more > recent > syscalls? The same arguments could probably be used to disable those: > reduce attack surface, possibly the new ones have bugs as they are > relatively new and it takes a long time for new syscalls to be more > generally used, if we go on disabling them in such a way, they will > probably never get used :-\ ptrace is allowed for third party apps within their SELinux domain, but they all run as different users (so the kernel attack surface is there). It's now disabled for privileged platform apps and most other domains. A bit backwards, but removing it for third party apps would break compatibility so it would have to be done at an API level bump. At least, without deciding it is worth the cost like hidepid=2 in Android N (which exposes no mechanism for exceptions in 3rd party apps, only the base system). If seccomp-bpf didn't imply such high system call overhead outside of x86_64, Android would probably be walling off some new system calls. It needs 2-phase lookup similar to x86 on ARM. Android kernels do avoid enabling lots of kernel functionality from System V IPC to USERNS though. New features wouldn't end up enabled if they were behind config options without an explicit choice. > Wouldn't the recent bump in perf_event_paranoid to 2 enough? I.e. only > allow profiling of user tasks? Most of the vulnerabilities are still exposed at 2. That prevents leaking information about the kernel WITHOUT vulnerabilities though, and would be an improvement when perf is disabled - but that doesn't really matter much (Android kernel debugging and profiling would also still work with 2). > Or is there something more specific that we should disable/constrain > to > reduce such surface contact without using such a big hammer? It's desired to have it globally disabled by default. Could use seccomp- bpf to globally disable it, but that's a bigger hammer because it can't be globally turned off without a reboot (could only profile newly spawned processes after disabling it). Since it's only going to be enabled by developers, trying to make it more fine-grained wouldn't really pay off. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings 2016-04-13 16:12 ` [kernel-hardening] " Kees Cook @ 2016-06-17 5:56 ` Alexander Shishkin 2016-06-17 12:18 ` Ben Hutchings 2016-06-17 15:24 ` [kernel-hardening] " Daniel Micay 1 sibling, 2 replies; 16+ messages in thread From: Alexander Shishkin @ 2016-06-17 5:56 UTC (permalink / raw) To: Ben Hutchings, linux-doc, linux-kernel, kernel-hardening Ben Hutchings <ben@decadent.org.uk> writes: > When kernel.perf_event_open is set to 3 (or greater), disallow all > access to performance events by users without CAP_SYS_ADMIN. > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > makes this value the default. So this patch does two things, can it then be made into two patches? > > This is based on a similar feature in grsecurity > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > the variable read-only. It also allows enabling further restriction > at run-time regardless of whether the default is changed. This paragraph doesn't seem to belong in the commit message. What this commit message is missing entirely is the rationale behind this change other than "grsecurity does the same". Can you please elaborate? > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > --- > I made a similar change to Debian's kernel packages in August, > including the more restrictive default, and no-one has complained yet. As a debian user, is this a good place to complain? Because it does get it the way. Thanks, -- Alex ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-17 5:56 ` Alexander Shishkin @ 2016-06-17 12:18 ` Ben Hutchings 2016-06-17 15:24 ` [kernel-hardening] " Daniel Micay 1 sibling, 0 replies; 16+ messages in thread From: Ben Hutchings @ 2016-06-17 12:18 UTC (permalink / raw) To: Alexander Shishkin, linux-doc, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 1717 bytes --] On Fri, 2016-06-17 at 08:56 +0300, Alexander Shishkin wrote: > Ben Hutchings <ben@decadent.org.uk> writes: > > > When kernel.perf_event_open is set to 3 (or greater), disallow all > > access to performance events by users without CAP_SYS_ADMIN. > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > > makes this value the default. > > So this patch does two things, can it then be made into two patches? It could. > > > > This is based on a similar feature in grsecurity > > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making > > the variable read-only. It also allows enabling further restriction > > at run-time regardless of whether the default is changed. > > This paragraph doesn't seem to belong in the commit message. I'm giving credit where credit is due. > What this commit message is missing entirely is the rationale behind > this change other than "grsecurity does the same". Can you please > elaborate? It allows disabling a facility which in many systems is not needed and is only a security risk. > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > > --- > > I made a similar change to Debian's kernel packages in August, > > including the more restrictive default, and no-one has complained yet. > > As a debian user, is this a good place to complain? Because it does get > it the way. OK, then you're the first one. And you know how to change this, don't you? Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [kernel-hardening] Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open 2016-06-17 5:56 ` Alexander Shishkin 2016-06-17 12:18 ` Ben Hutchings @ 2016-06-17 15:24 ` Daniel Micay 1 sibling, 0 replies; 16+ messages in thread From: Daniel Micay @ 2016-06-17 15:24 UTC (permalink / raw) To: kernel-hardening, Ben Hutchings, linux-doc, linux-kernel [-- Attachment #1: Type: text/plain, Size: 617 bytes --] > As a debian user, is this a good place to complain? Because it does > get > it the way. It would be relevant to whether or not it should be set to 3 by default in the kernel without explicit configuration, but there's no proposal to do that. Debian has to pick a trade-off beyond security and a tiny roadblock for developers. It's not always the case though. In Android, there's userspace integration allowing it to be toggled by the Android Debugging Bridge shell user so profiling tools are being taught to automatically toggle it. Enabling ADB and then using it for profiling is an implicit opt-in. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH RESEND] perf: Document the perf sysctls 2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings 2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings 2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings @ 2016-01-19 21:35 ` Ben Hutchings 2016-01-21 14:25 ` Arnaldo Carvalho de Melo 2016-02-03 10:08 ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings 2 siblings, 2 replies; 16+ messages in thread From: Ben Hutchings @ 2016-01-19 21:35 UTC (permalink / raw) To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo Cc: linux-doc, linux-kernel [-- Attachment #1: Type: text/plain, Size: 2383 bytes --] perf_event_paranoid was only documented in source code and a perf error message. Move the documentation from the error message to Documentation/sysctl/kernel.txt. perf_cpu_time_max_percent was already documented but missing from the list at the top, so add it there. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> --- Documentation/sysctl/kernel.txt | 13 +++++++++++++ tools/perf/util/evsel.c | 7 ++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index af70d15..88a2c8e 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -58,6 +58,8 @@ show up in /proc/sys/kernel: - panic_on_stackoverflow - panic_on_unrecovered_nmi - panic_on_warn +- perf_cpu_time_max_percent +- perf_event_paranoid - pid_max - powersave-nap [ PPC only ] - printk @@ -624,6 +626,17 @@ allowed to execute. ============================================================== +perf_event_paranoid: + +Controls use of the performance events system by unprivileged +users (without CAP_SYS_ADMIN). The default value is 1. + + -1: Allow use of (almost) all events by all users +>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK +>=1: Disallow CPU event access by users without CAP_SYS_ADMIN +>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN + +============================================================== pid_max: diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index 397fb4e..9b4df11 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target, case EACCES: return scnprintf(msg, size, "You may not have permission to collect %sstats.\n" - "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n" - " -1 - Not paranoid at all\n" - " 0 - Disallow raw tracepoint access for unpriv\n" - " 1 - Disallow cpu events for unpriv\n" - " 2 - Disallow kernel profiling for unpriv", + "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n" + "see Documentation/sysctl/kernel.txt", target->system_wide ? "system-wide " : ""); case ENOENT: return scnprintf(msg, size, "The %s event is not supported.", [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 811 bytes --] ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH RESEND] perf: Document the perf sysctls 2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings @ 2016-01-21 14:25 ` Arnaldo Carvalho de Melo 2016-02-03 10:08 ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings 1 sibling, 0 replies; 16+ messages in thread From: Arnaldo Carvalho de Melo @ 2016-01-21 14:25 UTC (permalink / raw) To: Ben Hutchings; +Cc: Peter Zijlstra, Ingo Molnar, linux-doc, linux-kernel Em Tue, Jan 19, 2016 at 09:35:15PM +0000, Ben Hutchings escreveu: > perf_event_paranoid was only documented in source code and a perf > error message. Move the documentation from the error message to > Documentation/sysctl/kernel.txt. > > perf_cpu_time_max_percent was already documented but missing from the > list at the top, so add it there. > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk> > --- > Documentation/sysctl/kernel.txt | 13 +++++++++++++ > tools/perf/util/evsel.c | 7 ++----- > 2 files changed, 15 insertions(+), 5 deletions(-) > > diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt > index af70d15..88a2c8e 100644 > --- a/Documentation/sysctl/kernel.txt > +++ b/Documentation/sysctl/kernel.txt > @@ -58,6 +58,8 @@ show up in /proc/sys/kernel: > - panic_on_stackoverflow > - panic_on_unrecovered_nmi > - panic_on_warn > +- perf_cpu_time_max_percent > +- perf_event_paranoid > - pid_max > - powersave-nap [ PPC only ] > - printk > @@ -624,6 +626,17 @@ allowed to execute. > > ============================================================== > > +perf_event_paranoid: > + > +Controls use of the performance events system by unprivileged > +users (without CAP_SYS_ADMIN). The default value is 1. > + > + -1: Allow use of (almost) all events by all users > +>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK > +>=1: Disallow CPU event access by users without CAP_SYS_ADMIN > +>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN > + > +============================================================== > > pid_max: > > diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c > index 397fb4e..9b4df11 100644 > --- a/tools/perf/util/evsel.c > +++ b/tools/perf/util/evsel.c > @@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target, > case EACCES: > return scnprintf(msg, size, > "You may not have permission to collect %sstats.\n" > - "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n" > - " -1 - Not paranoid at all\n" > - " 0 - Disallow raw tracepoint access for unpriv\n" > - " 1 - Disallow cpu events for unpriv\n" > - " 2 - Disallow kernel profiling for unpriv", > + "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n" > + "see Documentation/sysctl/kernel.txt", > target->system_wide ? "system-wide " : ""); Don't remove readily available information by a reference to a not always available file, I'm just synching this with the doc text you added to that Documentation file. - Arnaldo > case ENOENT: > return scnprintf(msg, size, "The %s event is not supported.", > ^ permalink raw reply [flat|nested] 16+ messages in thread
* [tip:perf/core] perf tools: Document the perf sysctls 2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings 2016-01-21 14:25 ` Arnaldo Carvalho de Melo @ 2016-02-03 10:08 ` tip-bot for Ben Hutchings 1 sibling, 0 replies; 16+ messages in thread From: tip-bot for Ben Hutchings @ 2016-02-03 10:08 UTC (permalink / raw) To: linux-tip-commits; +Cc: acme, ben, linux-kernel, peterz, mingo, hpa, tglx Commit-ID: 3379e0c3effa87d7734fc06277a7023292aadb0c Gitweb: http://git.kernel.org/tip/3379e0c3effa87d7734fc06277a7023292aadb0c Author: Ben Hutchings <ben@decadent.org.uk> AuthorDate: Tue, 19 Jan 2016 21:35:15 +0000 Committer: Arnaldo Carvalho de Melo <acme@redhat.com> CommitDate: Tue, 26 Jan 2016 11:52:45 -0300 perf tools: Document the perf sysctls perf_event_paranoid was only documented in source code and a perf error message. Copy the documentation from the error message to Documentation/sysctl/kernel.txt. perf_cpu_time_max_percent was already documented but missing from the list at the top, so add it there. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Peter Zijlstra <peterz@infradead.org> Cc: linux-doc@vger.kernel.org Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk [ Remove reference to external Documentation file, provide info inline, as before ] Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> --- Documentation/sysctl/kernel.txt | 13 +++++++++++++ tools/perf/util/evsel.c | 15 +++++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 73c6b1e..c803e73 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -58,6 +58,8 @@ show up in /proc/sys/kernel: - panic_on_stackoverflow - panic_on_unrecovered_nmi - panic_on_warn +- perf_cpu_time_max_percent +- perf_event_paranoid - pid_max - powersave-nap [ PPC only ] - printk @@ -639,6 +641,17 @@ allowed to execute. ============================================================== +perf_event_paranoid: + +Controls use of the performance events system by unprivileged +users (without CAP_SYS_ADMIN). The default value is 1. + + -1: Allow use of (almost) all events by all users +>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK +>=1: Disallow CPU event access by users without CAP_SYS_ADMIN +>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN + +============================================================== pid_max: diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index cdbaf9b..4678086 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -2362,12 +2362,15 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target, case EPERM: case EACCES: return scnprintf(msg, size, - "You may not have permission to collect %sstats.\n" - "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n" - " -1 - Not paranoid at all\n" - " 0 - Disallow raw tracepoint access for unpriv\n" - " 1 - Disallow cpu events for unpriv\n" - " 2 - Disallow kernel profiling for unpriv", + "You may not have permission to collect %sstats.\n\n" + "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n" + "which controls use of the performance events system by\n" + "unprivileged users (without CAP_SYS_ADMIN).\n\n" + "The default value is 1:\n\n" + " -1: Allow use of (almost) all events by all users\n" + ">= 0: Disallow raw tracepoint access by users without CAP_IOC_LOCK\n" + ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n" + ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN", target->system_wide ? "system-wide " : ""); case ENOENT: return scnprintf(msg, size, "The %s event is not supported.", ^ permalink raw reply related [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-06-18 0:52 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings 2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings 2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings 2016-04-13 16:12 ` [kernel-hardening] " Kees Cook 2016-06-04 20:56 ` Jeffrey Vander Stoep [not found] ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com> 2016-06-16 22:27 ` Kees Cook 2016-06-17 6:54 ` Peter Zijlstra 2016-06-17 16:16 ` Daniel Micay 2016-06-17 20:00 ` Arnaldo Carvalho de Melo 2016-06-18 0:51 ` Daniel Micay 2016-06-17 5:56 ` Alexander Shishkin 2016-06-17 12:18 ` Ben Hutchings 2016-06-17 15:24 ` [kernel-hardening] " Daniel Micay 2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings 2016-01-21 14:25 ` Arnaldo Carvalho de Melo 2016-02-03 10:08 ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).