LKML Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] Document and extend kernel.perf_event_paranoid
@ 2016-01-11 15:19 Ben Hutchings
  2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
                   ` (2 more replies)
  0 siblings, 3 replies; 16+ messages in thread
From: Ben Hutchings @ 2016-01-11 15:19 UTC (permalink / raw)
  To: linux-doc, linux-kernel, kernel-hardening


[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

This moves documentation for the kernel.perf_event_paranoid to the
Documentation directory, then adds a more paranoid level.

Ben.

Ben Hutchings (2):
  Documentation,perf: Document the perf sysctls
  security,perf: Allow further restriction of perf_event_open

 Documentation/sysctl/kernel.txt | 15 +++++++++++++++
 include/linux/perf_event.h      |  5 +++++
 kernel/events/core.c            |  8 ++++++++
 security/Kconfig                |  9 +++++++++
 tools/perf/util/evsel.c         |  7 ++-----
 5 files changed, 39 insertions(+), 5 deletions(-)


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 1/2] Documentation,perf: Document the perf sysctls
  2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
@ 2016-01-11 15:21 ` Ben Hutchings
  2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
  2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
  2 siblings, 0 replies; 16+ messages in thread
From: Ben Hutchings @ 2016-01-11 15:21 UTC (permalink / raw)
  To: linux-doc, linux-kernel, kernel-hardening


[-- Attachment #1: Type: text/plain, Size: 2383 bytes --]

perf_event_paranoid was only documented in source code and a perf
error message.  Move the documentation from the error message to
Documentation/sysctl/kernel.txt.

perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Documentation/sysctl/kernel.txt | 13 +++++++++++++
 tools/perf/util/evsel.c         |  7 ++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index af70d15..88a2c8e 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -58,6 +58,8 @@ show up in /proc/sys/kernel:
 - panic_on_stackoverflow
 - panic_on_unrecovered_nmi
 - panic_on_warn
+- perf_cpu_time_max_percent
+- perf_event_paranoid
 - pid_max
 - powersave-nap               [ PPC only ]
 - printk
@@ -624,6 +626,17 @@ allowed to execute.
 
 ==============================================================
 
+perf_event_paranoid:
+
+Controls use of the performance events system by unprivileged
+users (without CAP_SYS_ADMIN).  The default value is 1.
+
+ -1: Allow use of (almost) all events by all users
+>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
+>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
+>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+
+==============================================================
 
 pid_max:
 
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 397fb4e..9b4df11 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target,
 	case EACCES:
 		return scnprintf(msg, size,
 		 "You may not have permission to collect %sstats.\n"
-		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n"
-		 " -1 - Not paranoid at all\n"
-		 "  0 - Disallow raw tracepoint access for unpriv\n"
-		 "  1 - Disallow cpu events for unpriv\n"
-		 "  2 - Disallow kernel profiling for unpriv",
+		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n"
+		 "see Documentation/sysctl/kernel.txt",
 				 target->system_wide ? "system-wide " : "");
 	case ENOENT:
 		return scnprintf(msg, size, "The %s event is not supported.",


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
  2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
@ 2016-01-11 15:23 ` Ben Hutchings
  2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
  2016-06-17  5:56   ` Alexander Shishkin
  2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
  2 siblings, 2 replies; 16+ messages in thread
From: Ben Hutchings @ 2016-01-11 15:23 UTC (permalink / raw)
  To: linux-doc, linux-kernel, kernel-hardening


[-- Attachment #1: Type: text/plain, Size: 3944 bytes --]

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
I made a similar change to Debian's kernel packages in August,
including the more restrictive default, and no-one has complained yet.

Ben.

 Documentation/sysctl/kernel.txt | 4 +++-
 include/linux/perf_event.h      | 5 +++++
 kernel/events/core.c            | 8 ++++++++
 security/Kconfig                | 9 +++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 88a2c8e..76e2ca8 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -629,12 +629,14 @@ allowed to execute.
 perf_event_paranoid:
 
 Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN).  The default value is 1.
+users (without CAP_SYS_ADMIN).  The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
 
  -1: Allow use of (almost) all events by all users
 >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
 >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
 >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+>=3: Disallow all event access by users without CAP_SYS_ADMIN
 
 ==============================================================
 
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index f9828a4..aa72940 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
 		loff_t *ppos);
 
 
+static inline bool perf_paranoid_any(void)
+{
+	return sysctl_perf_event_paranoid > 2;
+}
+
 static inline bool perf_paranoid_tracepoint_raw(void)
 {
 	return sysctl_perf_event_paranoid > -1;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index cfc227c..85bc810 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
  *   0 - disallow raw tracepoint access for unpriv
  *   1 - disallow cpu events for unpriv
  *   2 - disallow kernel profiling for unpriv
+ *   3 - disallow all unpriv perf event use
  */
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
 int sysctl_perf_event_paranoid __read_mostly = 1;
+#endif
 
 /* Minimum for 512 kiB + 1 user control page */
 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (flags & ~PERF_FLAG_ALL)
 		return -EINVAL;
 
+	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
 	err = perf_copy_attr(attr_uptr, &attr);
 	if (err)
 		return err;
diff --git a/security/Kconfig b/security/Kconfig
index e452378..30a2603 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_PERF_EVENTS_RESTRICT
+	bool "Restrict unprivileged use of performance events"
+	depends on PERF_EVENTS
+	help
+	  If you say Y here, the kernel.perf_event_paranoid sysctl
+	  will be set to 3 by default, and no unprivileged use of the
+	  perf_event_open syscall will be permitted unless it is
+	  changed.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [PATCH RESEND] perf: Document the perf sysctls
  2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
  2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
  2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
@ 2016-01-19 21:35 ` Ben Hutchings
  2016-01-21 14:25   ` Arnaldo Carvalho de Melo
  2016-02-03 10:08   ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings
  2 siblings, 2 replies; 16+ messages in thread
From: Ben Hutchings @ 2016-01-19 21:35 UTC (permalink / raw)
  To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo
  Cc: linux-doc, linux-kernel


[-- Attachment #1: Type: text/plain, Size: 2383 bytes --]

perf_event_paranoid was only documented in source code and a perf
error message.  Move the documentation from the error message to
Documentation/sysctl/kernel.txt.

perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Documentation/sysctl/kernel.txt | 13 +++++++++++++
 tools/perf/util/evsel.c         |  7 ++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index af70d15..88a2c8e 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -58,6 +58,8 @@ show up in /proc/sys/kernel:
 - panic_on_stackoverflow
 - panic_on_unrecovered_nmi
 - panic_on_warn
+- perf_cpu_time_max_percent
+- perf_event_paranoid
 - pid_max
 - powersave-nap               [ PPC only ]
 - printk
@@ -624,6 +626,17 @@ allowed to execute.
 
 ==============================================================
 
+perf_event_paranoid:
+
+Controls use of the performance events system by unprivileged
+users (without CAP_SYS_ADMIN).  The default value is 1.
+
+ -1: Allow use of (almost) all events by all users
+>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
+>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
+>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+
+==============================================================
 
 pid_max:
 
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 397fb4e..9b4df11 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target,
 	case EACCES:
 		return scnprintf(msg, size,
 		 "You may not have permission to collect %sstats.\n"
-		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n"
-		 " -1 - Not paranoid at all\n"
-		 "  0 - Disallow raw tracepoint access for unpriv\n"
-		 "  1 - Disallow cpu events for unpriv\n"
-		 "  2 - Disallow kernel profiling for unpriv",
+		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n"
+		 "see Documentation/sysctl/kernel.txt",
 				 target->system_wide ? "system-wide " : "");
 	case ENOENT:
 		return scnprintf(msg, size, "The %s event is not supported.",


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [PATCH RESEND] perf: Document the perf sysctls
  2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
@ 2016-01-21 14:25   ` Arnaldo Carvalho de Melo
  2016-02-03 10:08   ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings
  1 sibling, 0 replies; 16+ messages in thread
From: Arnaldo Carvalho de Melo @ 2016-01-21 14:25 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: Peter Zijlstra, Ingo Molnar, linux-doc, linux-kernel

Em Tue, Jan 19, 2016 at 09:35:15PM +0000, Ben Hutchings escreveu:
> perf_event_paranoid was only documented in source code and a perf
> error message.  Move the documentation from the error message to
> Documentation/sysctl/kernel.txt.
> 
> perf_cpu_time_max_percent was already documented but missing from the
> list at the top, so add it there.
> 
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  Documentation/sysctl/kernel.txt | 13 +++++++++++++
>  tools/perf/util/evsel.c         |  7 ++-----
>  2 files changed, 15 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index af70d15..88a2c8e 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -58,6 +58,8 @@ show up in /proc/sys/kernel:
>  - panic_on_stackoverflow
>  - panic_on_unrecovered_nmi
>  - panic_on_warn
> +- perf_cpu_time_max_percent
> +- perf_event_paranoid
>  - pid_max
>  - powersave-nap               [ PPC only ]
>  - printk
> @@ -624,6 +626,17 @@ allowed to execute.
>  
>  ==============================================================
>  
> +perf_event_paranoid:
> +
> +Controls use of the performance events system by unprivileged
> +users (without CAP_SYS_ADMIN).  The default value is 1.
> +
> + -1: Allow use of (almost) all events by all users
> +>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
> +>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
> +>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
> +
> +==============================================================
>  
>  pid_max:
>  
> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
> index 397fb4e..9b4df11 100644
> --- a/tools/perf/util/evsel.c
> +++ b/tools/perf/util/evsel.c
> @@ -2314,11 +2314,8 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target,
>  	case EACCES:
>  		return scnprintf(msg, size,
>  		 "You may not have permission to collect %sstats.\n"
> -		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n"
> -		 " -1 - Not paranoid at all\n"
> -		 "  0 - Disallow raw tracepoint access for unpriv\n"
> -		 "  1 - Disallow cpu events for unpriv\n"
> -		 "  2 - Disallow kernel profiling for unpriv",
> +		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid -\n"
> +		 "see Documentation/sysctl/kernel.txt",
>  				 target->system_wide ? "system-wide " : "");

Don't remove readily available information by a reference to a not
always available file, I'm just synching this with the doc text you
added to that Documentation file.

- Arnaldo

>  	case ENOENT:
>  		return scnprintf(msg, size, "The %s event is not supported.",
> 

^ permalink raw reply	[flat|nested] 16+ messages in thread

* [tip:perf/core] perf tools: Document the perf sysctls
  2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
  2016-01-21 14:25   ` Arnaldo Carvalho de Melo
@ 2016-02-03 10:08   ` tip-bot for Ben Hutchings
  1 sibling, 0 replies; 16+ messages in thread
From: tip-bot for Ben Hutchings @ 2016-02-03 10:08 UTC (permalink / raw)
  To: linux-tip-commits; +Cc: acme, ben, linux-kernel, peterz, mingo, hpa, tglx

Commit-ID:  3379e0c3effa87d7734fc06277a7023292aadb0c
Gitweb:     http://git.kernel.org/tip/3379e0c3effa87d7734fc06277a7023292aadb0c
Author:     Ben Hutchings <ben@decadent.org.uk>
AuthorDate: Tue, 19 Jan 2016 21:35:15 +0000
Committer:  Arnaldo Carvalho de Melo <acme@redhat.com>
CommitDate: Tue, 26 Jan 2016 11:52:45 -0300

perf tools: Document the perf sysctls

perf_event_paranoid was only documented in source code and a perf error
message.  Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.

perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 Documentation/sysctl/kernel.txt | 13 +++++++++++++
 tools/perf/util/evsel.c         | 15 +++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 73c6b1e..c803e73 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -58,6 +58,8 @@ show up in /proc/sys/kernel:
 - panic_on_stackoverflow
 - panic_on_unrecovered_nmi
 - panic_on_warn
+- perf_cpu_time_max_percent
+- perf_event_paranoid
 - pid_max
 - powersave-nap               [ PPC only ]
 - printk
@@ -639,6 +641,17 @@ allowed to execute.
 
 ==============================================================
 
+perf_event_paranoid:
+
+Controls use of the performance events system by unprivileged
+users (without CAP_SYS_ADMIN).  The default value is 1.
+
+ -1: Allow use of (almost) all events by all users
+>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
+>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
+>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
+
+==============================================================
 
 pid_max:
 
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index cdbaf9b..4678086 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2362,12 +2362,15 @@ int perf_evsel__open_strerror(struct perf_evsel *evsel, struct target *target,
 	case EPERM:
 	case EACCES:
 		return scnprintf(msg, size,
-		 "You may not have permission to collect %sstats.\n"
-		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid:\n"
-		 " -1 - Not paranoid at all\n"
-		 "  0 - Disallow raw tracepoint access for unpriv\n"
-		 "  1 - Disallow cpu events for unpriv\n"
-		 "  2 - Disallow kernel profiling for unpriv",
+		 "You may not have permission to collect %sstats.\n\n"
+		 "Consider tweaking /proc/sys/kernel/perf_event_paranoid,\n"
+		 "which controls use of the performance events system by\n"
+		 "unprivileged users (without CAP_SYS_ADMIN).\n\n"
+		 "The default value is 1:\n\n"
+		 "  -1: Allow use of (almost) all events by all users\n"
+		 ">= 0: Disallow raw tracepoint access by users without CAP_IOC_LOCK\n"
+		 ">= 1: Disallow CPU event access by users without CAP_SYS_ADMIN\n"
+		 ">= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN",
 				 target->system_wide ? "system-wide " : "");
 	case ENOENT:
 		return scnprintf(msg, size, "The %s event is not supported.",

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
@ 2016-04-13 16:12   ` Kees Cook
  2016-06-04 20:56     ` Jeffrey Vander Stoep
       [not found]     ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
  2016-06-17  5:56   ` Alexander Shishkin
  1 sibling, 2 replies; 16+ messages in thread
From: Kees Cook @ 2016-04-13 16:12 UTC (permalink / raw)
  To: kernel-hardening; +Cc: linux-doc, LKML

On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
> When kernel.perf_event_open is set to 3 (or greater), disallow all
> access to performance events by users without CAP_SYS_ADMIN.
> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> makes this value the default.
>
> This is based on a similar feature in grsecurity
> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
> the variable read-only.  It also allows enabling further restriction
> at run-time regardless of whether the default is changed.
>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Whoops, I entirely missed this email! Just found it now.

Ben, can you resend this with Perf maintainers in CC? This seems
sensible enough to me.

-Kees

> ---
> I made a similar change to Debian's kernel packages in August,
> including the more restrictive default, and no-one has complained yet.
>
> Ben.
>
>  Documentation/sysctl/kernel.txt | 4 +++-
>  include/linux/perf_event.h      | 5 +++++
>  kernel/events/core.c            | 8 ++++++++
>  security/Kconfig                | 9 +++++++++
>  4 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 88a2c8e..76e2ca8 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -629,12 +629,14 @@ allowed to execute.
>  perf_event_paranoid:
>
>  Controls use of the performance events system by unprivileged
> -users (without CAP_SYS_ADMIN).  The default value is 1.
> +users (without CAP_SYS_ADMIN).  The default value is 3 if
> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
>
>   -1: Allow use of (almost) all events by all users
>  >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>  >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>  >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
> +>=3: Disallow all event access by users without CAP_SYS_ADMIN
>
>  ==============================================================
>
> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
> index f9828a4..aa72940 100644
> --- a/include/linux/perf_event.h
> +++ b/include/linux/perf_event.h
> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
>                 loff_t *ppos);
>
>
> +static inline bool perf_paranoid_any(void)
> +{
> +       return sysctl_perf_event_paranoid > 2;
> +}
> +
>  static inline bool perf_paranoid_tracepoint_raw(void)
>  {
>         return sysctl_perf_event_paranoid > -1;
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index cfc227c..85bc810 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
>   *   0 - disallow raw tracepoint access for unpriv
>   *   1 - disallow cpu events for unpriv
>   *   2 - disallow kernel profiling for unpriv
> + *   3 - disallow all unpriv perf event use
>   */
> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
> +int sysctl_perf_event_paranoid __read_mostly = 3;
> +#else
>  int sysctl_perf_event_paranoid __read_mostly = 1;
> +#endif
>
>  /* Minimum for 512 kiB + 1 user control page */
>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
>         if (flags & ~PERF_FLAG_ALL)
>                 return -EINVAL;
>
> +       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
> +               return -EACCES;
> +
>         err = perf_copy_attr(attr_uptr, &attr);
>         if (err)
>                 return err;
> diff --git a/security/Kconfig b/security/Kconfig
> index e452378..30a2603 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>
>           If you are unsure how to answer this question, answer N.
>
> +config SECURITY_PERF_EVENTS_RESTRICT
> +       bool "Restrict unprivileged use of performance events"
> +       depends on PERF_EVENTS
> +       help
> +         If you say Y here, the kernel.perf_event_paranoid sysctl
> +         will be set to 3 by default, and no unprivileged use of the
> +         perf_event_open syscall will be permitted unless it is
> +         changed.
> +
>  config SECURITY
>         bool "Enable different security models"
>         depends on SYSFS



-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
@ 2016-06-04 20:56     ` Jeffrey Vander Stoep
       [not found]     ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
  1 sibling, 0 replies; 16+ messages in thread
From: Jeffrey Vander Stoep @ 2016-06-04 20:56 UTC (permalink / raw)
  To: kernel-hardening; +Cc: linux-doc, LKML

Acked-by: Jeff Vander Stoep <jeffv@google.com>

In addition to Debian, this patch has been merged into AOSP and is a
requirement for Android:
https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT

On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
>> When kernel.perf_event_open is set to 3 (or greater), disallow all
>> access to performance events by users without CAP_SYS_ADMIN.
>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
>> makes this value the default.
>>
>> This is based on a similar feature in grsecurity
>> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
>> the variable read-only.  It also allows enabling further restriction
>> at run-time regardless of whether the default is changed.
>>
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>
> Whoops, I entirely missed this email! Just found it now.
>
> Ben, can you resend this with Perf maintainers in CC? This seems
> sensible enough to me.
>
> -Kees
>
>> ---
>> I made a similar change to Debian's kernel packages in August,
>> including the more restrictive default, and no-one has complained yet.
>>
>> Ben.
>>
>>  Documentation/sysctl/kernel.txt | 4 +++-
>>  include/linux/perf_event.h      | 5 +++++
>>  kernel/events/core.c            | 8 ++++++++
>>  security/Kconfig                | 9 +++++++++
>>  4 files changed, 25 insertions(+), 1 deletion(-)
>>
>> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
>> index 88a2c8e..76e2ca8 100644
>> --- a/Documentation/sysctl/kernel.txt
>> +++ b/Documentation/sysctl/kernel.txt
>> @@ -629,12 +629,14 @@ allowed to execute.
>>  perf_event_paranoid:
>>
>>  Controls use of the performance events system by unprivileged
>> -users (without CAP_SYS_ADMIN).  The default value is 1.
>> +users (without CAP_SYS_ADMIN).  The default value is 3 if
>> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
>>
>>   -1: Allow use of (almost) all events by all users
>>  >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>>  >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>>  >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
>> +>=3: Disallow all event access by users without CAP_SYS_ADMIN
>>
>>  ==============================================================
>>
>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
>> index f9828a4..aa72940 100644
>> --- a/include/linux/perf_event.h
>> +++ b/include/linux/perf_event.h
>> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
>>                 loff_t *ppos);
>>
>>
>> +static inline bool perf_paranoid_any(void)
>> +{
>> +       return sysctl_perf_event_paranoid > 2;
>> +}
>> +
>>  static inline bool perf_paranoid_tracepoint_raw(void)
>>  {
>>         return sysctl_perf_event_paranoid > -1;
>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>> index cfc227c..85bc810 100644
>> --- a/kernel/events/core.c
>> +++ b/kernel/events/core.c
>> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
>>   *   0 - disallow raw tracepoint access for unpriv
>>   *   1 - disallow cpu events for unpriv
>>   *   2 - disallow kernel profiling for unpriv
>> + *   3 - disallow all unpriv perf event use
>>   */
>> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>> +int sysctl_perf_event_paranoid __read_mostly = 3;
>> +#else
>>  int sysctl_perf_event_paranoid __read_mostly = 1;
>> +#endif
>>
>>  /* Minimum for 512 kiB + 1 user control page */
>>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
>> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
>>         if (flags & ~PERF_FLAG_ALL)
>>                 return -EINVAL;
>>
>> +       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
>> +               return -EACCES;
>> +
>>         err = perf_copy_attr(attr_uptr, &attr);
>>         if (err)
>>                 return err;
>> diff --git a/security/Kconfig b/security/Kconfig
>> index e452378..30a2603 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>>
>>           If you are unsure how to answer this question, answer N.
>>
>> +config SECURITY_PERF_EVENTS_RESTRICT
>> +       bool "Restrict unprivileged use of performance events"
>> +       depends on PERF_EVENTS
>> +       help
>> +         If you say Y here, the kernel.perf_event_paranoid sysctl
>> +         will be set to 3 by default, and no unprivileged use of the
>> +         perf_event_open syscall will be permitted unless it is
>> +         changed.
>> +
>>  config SECURITY
>>         bool "Enable different security models"
>>         depends on SYSFS
>
>
>
> --
> Kees Cook
> Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
       [not found]     ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
@ 2016-06-16 22:27       ` Kees Cook
  2016-06-17  6:54         ` Peter Zijlstra
  0 siblings, 1 reply; 16+ messages in thread
From: Kees Cook @ 2016-06-16 22:27 UTC (permalink / raw)
  To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Alexander Shishkin
  Cc: linux-doc, kernel-hardening, LKML

Hi guys,

This patch wasn't originally CCed to you (I'm fixing that now). Would
you consider taking this into the perf tree? It's been in active use
in both Debian and Android for a while now.

(If need be, I can resend it.)

Thanks!

-Kees

On Sat, Jun 4, 2016 at 1:49 PM, Jeffrey Vander Stoep <jeffv@google.com> wrote:
> Acked-by: Jeff Vander Stoep <jeffv@google.com>
>
> In addition to Debian, this patch has been merged into AOSP and is a
> requirement for Android:
> https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>
>
> On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keescook@chromium.org> wrote:
>> On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk>
>> wrote:
>>> When kernel.perf_event_open is set to 3 (or greater), disallow all
>>> access to performance events by users without CAP_SYS_ADMIN.
>>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
>>> makes this value the default.
>>>
>>> This is based on a similar feature in grsecurity
>>> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
>>> the variable read-only.  It also allows enabling further restriction
>>> at run-time regardless of whether the default is changed.
>>>
>>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>>
>> Whoops, I entirely missed this email! Just found it now.
>>
>> Ben, can you resend this with Perf maintainers in CC? This seems
>> sensible enough to me.
>>
>> -Kees
>>
>>> ---
>>> I made a similar change to Debian's kernel packages in August,
>>> including the more restrictive default, and no-one has complained yet.
>>>
>>> Ben.
>>>
>>>  Documentation/sysctl/kernel.txt | 4 +++-
>>>  include/linux/perf_event.h      | 5 +++++
>>>  kernel/events/core.c            | 8 ++++++++
>>>  security/Kconfig                | 9 +++++++++
>>>  4 files changed, 25 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/Documentation/sysctl/kernel.txt
>>> b/Documentation/sysctl/kernel.txt
>>> index 88a2c8e..76e2ca8 100644
>>> --- a/Documentation/sysctl/kernel.txt
>>> +++ b/Documentation/sysctl/kernel.txt
>>> @@ -629,12 +629,14 @@ allowed to execute.
>>>  perf_event_paranoid:
>>>
>>>  Controls use of the performance events system by unprivileged
>>> -users (without CAP_SYS_ADMIN).  The default value is 1.
>>> +users (without CAP_SYS_ADMIN).  The default value is 3 if
>>> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
>>>
>>>   -1: Allow use of (almost) all events by all users
>>>  >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>>>  >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>>>  >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
>>> +>=3: Disallow all event access by users without CAP_SYS_ADMIN
>>>
>>>  ==============================================================
>>>
>>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
>>> index f9828a4..aa72940 100644
>>> --- a/include/linux/perf_event.h
>>> +++ b/include/linux/perf_event.h
>>> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct
>>> ctl_table *table, int write,
>>>                 loff_t *ppos);
>>>
>>>
>>> +static inline bool perf_paranoid_any(void)
>>> +{
>>> +       return sysctl_perf_event_paranoid > 2;
>>> +}
>>> +
>>>  static inline bool perf_paranoid_tracepoint_raw(void)
>>>  {
>>>         return sysctl_perf_event_paranoid > -1;
>>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>>> index cfc227c..85bc810 100644
>>> --- a/kernel/events/core.c
>>> +++ b/kernel/events/core.c
>>> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
>>>   *   0 - disallow raw tracepoint access for unpriv
>>>   *   1 - disallow cpu events for unpriv
>>>   *   2 - disallow kernel profiling for unpriv
>>> + *   3 - disallow all unpriv perf event use
>>>   */
>>> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>>> +int sysctl_perf_event_paranoid __read_mostly = 3;
>>> +#else
>>>  int sysctl_perf_event_paranoid __read_mostly = 1;
>>> +#endif
>>>
>>>  /* Minimum for 512 kiB + 1 user control page */
>>>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /*
>>> 'free' kiB per user */
>>> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
>>>         if (flags & ~PERF_FLAG_ALL)
>>>                 return -EINVAL;
>>>
>>> +       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
>>> +               return -EACCES;
>>> +
>>>         err = perf_copy_attr(attr_uptr, &attr);
>>>         if (err)
>>>                 return err;
>>> diff --git a/security/Kconfig b/security/Kconfig
>>> index e452378..30a2603 100644
>>> --- a/security/Kconfig
>>> +++ b/security/Kconfig
>>> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>>>
>>>           If you are unsure how to answer this question, answer N.
>>>
>>> +config SECURITY_PERF_EVENTS_RESTRICT
>>> +       bool "Restrict unprivileged use of performance events"
>>> +       depends on PERF_EVENTS
>>> +       help
>>> +         If you say Y here, the kernel.perf_event_paranoid sysctl
>>> +         will be set to 3 by default, and no unprivileged use of the
>>> +         perf_event_open syscall will be permitted unless it is
>>> +         changed.
>>> +
>>>  config SECURITY
>>>         bool "Enable different security models"
>>>         depends on SYSFS
>>
>>
>>
>> --
>> Kees Cook
>> Chrome OS & Brillo Security
>



-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
  2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
@ 2016-06-17  5:56   ` Alexander Shishkin
  2016-06-17 12:18     ` Ben Hutchings
  2016-06-17 15:24     ` [kernel-hardening] " Daniel Micay
  1 sibling, 2 replies; 16+ messages in thread
From: Alexander Shishkin @ 2016-06-17  5:56 UTC (permalink / raw)
  To: Ben Hutchings, linux-doc, linux-kernel, kernel-hardening

Ben Hutchings <ben@decadent.org.uk> writes:

> When kernel.perf_event_open is set to 3 (or greater), disallow all
> access to performance events by users without CAP_SYS_ADMIN.
> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> makes this value the default.

So this patch does two things, can it then be made into two patches?

>
> This is based on a similar feature in grsecurity
> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
> the variable read-only.  It also allows enabling further restriction
> at run-time regardless of whether the default is changed.

This paragraph doesn't seem to belong in the commit message.

What this commit message is missing entirely is the rationale behind
this change other than "grsecurity does the same". Can you please
elaborate?

> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> I made a similar change to Debian's kernel packages in August,
> including the more restrictive default, and no-one has complained yet.

As a debian user, is this a good place to complain? Because it does get
it the way.

Thanks,
--
Alex

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-16 22:27       ` Kees Cook
@ 2016-06-17  6:54         ` Peter Zijlstra
  2016-06-17 16:16           ` Daniel Micay
  0 siblings, 1 reply; 16+ messages in thread
From: Peter Zijlstra @ 2016-06-17  6:54 UTC (permalink / raw)
  To: Kees Cook
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin,
	linux-doc, kernel-hardening, LKML

On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote:
> Hi guys,
> 
> This patch wasn't originally CCed to you (I'm fixing that now). Would
> you consider taking this into the perf tree? 

No.

> It's been in active use
> in both Debian and Android for a while now.

Very nice of you all to finally inform us I suppose :/

> >>> When kernel.perf_event_open is set to 3 (or greater), disallow all
> >>> access to performance events by users without CAP_SYS_ADMIN.
> >>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> >>> makes this value the default.
> >>>
> >>> This is based on a similar feature in grsecurity
> >>> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
> >>> the variable read-only.  It also allows enabling further restriction
> >>> at run-time regardless of whether the default is changed.

This Changelog is completely devoid of information. _WHY_ are you doing
this?

Also, hate the CONFIG.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-17  5:56   ` Alexander Shishkin
@ 2016-06-17 12:18     ` Ben Hutchings
  2016-06-17 15:24     ` [kernel-hardening] " Daniel Micay
  1 sibling, 0 replies; 16+ messages in thread
From: Ben Hutchings @ 2016-06-17 12:18 UTC (permalink / raw)
  To: Alexander Shishkin, linux-doc, linux-kernel, kernel-hardening


[-- Attachment #1: Type: text/plain, Size: 1717 bytes --]

On Fri, 2016-06-17 at 08:56 +0300, Alexander Shishkin wrote:
> Ben Hutchings <ben@decadent.org.uk> writes:
> 
> > When kernel.perf_event_open is set to 3 (or greater), disallow all
> > access to performance events by users without CAP_SYS_ADMIN.
> > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> > makes this value the default.
> 
> So this patch does two things, can it then be made into two patches?

It could.

> > 
> > This is based on a similar feature in grsecurity
> > (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
> > the variable read-only.  It also allows enabling further restriction
> > at run-time regardless of whether the default is changed.
> 
> This paragraph doesn't seem to belong in the commit message.

I'm giving credit where credit is due.

> What this commit message is missing entirely is the rationale behind
> this change other than "grsecurity does the same". Can you please
> elaborate?

It allows disabling a facility which in many systems is not needed and
is only a security risk.

> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> > I made a similar change to Debian's kernel packages in August,
> > including the more restrictive default, and no-one has complained yet.
> 
> As a debian user, is this a good place to complain? Because it does get
> it the way.

OK, then you're the first one.  And you know how to change this, don't
you?

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert
Camus

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-17  5:56   ` Alexander Shishkin
  2016-06-17 12:18     ` Ben Hutchings
@ 2016-06-17 15:24     ` Daniel Micay
  1 sibling, 0 replies; 16+ messages in thread
From: Daniel Micay @ 2016-06-17 15:24 UTC (permalink / raw)
  To: kernel-hardening, Ben Hutchings, linux-doc, linux-kernel


[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

> As a debian user, is this a good place to complain? Because it does
> get
> it the way.

It would be relevant to whether or not it should be set to 3 by default
in the kernel without explicit configuration, but there's no proposal to
do that. Debian has to pick a trade-off beyond security and a tiny
roadblock for developers. It's not always the case though.

In Android, there's userspace integration allowing it to be toggled by
the Android Debugging Bridge shell user so profiling tools are being
taught to automatically toggle it. Enabling ADB and then using it for
profiling is an implicit opt-in.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-17  6:54         ` Peter Zijlstra
@ 2016-06-17 16:16           ` Daniel Micay
  2016-06-17 20:00             ` Arnaldo Carvalho de Melo
  0 siblings, 1 reply; 16+ messages in thread
From: Daniel Micay @ 2016-06-17 16:16 UTC (permalink / raw)
  To: kernel-hardening, Kees Cook
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Alexander Shishkin,
	linux-doc, LKML


[-- Attachment #1: Type: text/plain, Size: 1763 bytes --]

On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote:
> On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote:
> > Hi guys,
> > 
> > This patch wasn't originally CCed to you (I'm fixing that now).
> > Would
> > you consider taking this into the perf tree? 
> 
> No.
> 
> > It's been in active use
> > in both Debian and Android for a while now.
> 
> Very nice of you all to finally inform us I suppose :/

It was in Debian a lot longer than Android, although the Android feature
came from a downstream variant where it was done much earlier:

https://android-review.googlesource.com/#/c/233736/

> > > > > 
> > > > > access to performance events by users without CAP_SYS_ADMIN.
> > > > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> > > > > makes this value the default.
> > > > > 
> > > > > This is based on a similar feature in grsecurity
> > > > > (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include
> > > > > making
> > > > > the variable read-only.  It also allows enabling further
> > > > > restriction
> > > > > at run-time regardless of whether the default is changed.
> 
> This Changelog is completely devoid of information. _WHY_ are you
> doing
> this?

Attack surface reduction. It's possible to use seccomp-bpf for some
limited cases, but it's not flexible enough. There are lots of
information leaks and local privilege escalation vulnerabilities via
perf events, yet on most Linux installs it's not ever being used. So
turning it off by default on those installs is an easy win. The holes
are reduced to root -> kernel (and that's not a meaningful boundary in
mainline right now - although as is the case here, Debian has a bunch of
securelevel patches for that).

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-17 16:16           ` Daniel Micay
@ 2016-06-17 20:00             ` Arnaldo Carvalho de Melo
  2016-06-18  0:51               ` Daniel Micay
  0 siblings, 1 reply; 16+ messages in thread
From: Arnaldo Carvalho de Melo @ 2016-06-17 20:00 UTC (permalink / raw)
  To: Daniel Micay
  Cc: kernel-hardening, Kees Cook, Ingo Molnar, Alexander Shishkin,
	linux-doc, Jiri Olsa, Thomas Gleixner, Namhyung Kim, David Ahern,
	LKML

Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu:
> On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote:
> > This Changelog is completely devoid of information. _WHY_ are you
> > doing this?
 
> Attack surface reduction. It's possible to use seccomp-bpf for some
> limited cases, but it's not flexible enough. There are lots of
> information leaks and local privilege escalation vulnerabilities via
> perf events, yet on most Linux installs it's not ever being used. So
> turning it off by default on those installs is an easy win. The holes
> are reduced to root -> kernel (and that's not a meaningful boundary in
> mainline right now - although as is the case here, Debian has a bunch of
> securelevel patches for that).

Is ptrace also disabled on such systems, or any of the other more recent
syscalls? The same arguments could probably be used to disable those:
reduce attack surface, possibly the new ones have bugs as they are
relatively new and it takes a long time for new syscalls to be more
generally used, if we go on disabling them in such a way, they will
probably never get used :-\

Wouldn't the recent bump in perf_event_paranoid to 2 enough? I.e. only
allow profiling of user tasks?

Or is there something more specific that we should disable/constrain to
reduce such surface contact without using such a big hammer?

- Arnaldo

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
  2016-06-17 20:00             ` Arnaldo Carvalho de Melo
@ 2016-06-18  0:51               ` Daniel Micay
  0 siblings, 0 replies; 16+ messages in thread
From: Daniel Micay @ 2016-06-18  0:51 UTC (permalink / raw)
  To: Arnaldo Carvalho de Melo
  Cc: kernel-hardening, Kees Cook, Ingo Molnar, Alexander Shishkin,
	linux-doc, Jiri Olsa, Thomas Gleixner, Namhyung Kim, David Ahern,
	LKML


[-- Attachment #1: Type: text/plain, Size: 3097 bytes --]

On Fri, 2016-06-17 at 17:00 -0300, Arnaldo Carvalho de Melo wrote:
> Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu:
> > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote:
> > > This Changelog is completely devoid of information. _WHY_ are you
> > > doing this?
>  
> > Attack surface reduction. It's possible to use seccomp-bpf for some
> > limited cases, but it's not flexible enough. There are lots of
> > information leaks and local privilege escalation vulnerabilities via
> > perf events, yet on most Linux installs it's not ever being used. So
> > turning it off by default on those installs is an easy win. The
> > holes
> > are reduced to root -> kernel (and that's not a meaningful boundary
> > in
> > mainline right now - although as is the case here, Debian has a
> > bunch of
> > securelevel patches for that).
> 
> Is ptrace also disabled on such systems, or any of the other more
> recent
> syscalls? The same arguments could probably be used to disable those:
> reduce attack surface, possibly the new ones have bugs as they are
> relatively new and it takes a long time for new syscalls to be more
> generally used, if we go on disabling them in such a way, they will
> probably never get used :-\

ptrace is allowed for third party apps within their SELinux domain, but
they all run as different users (so the kernel attack surface is there).
It's now disabled for privileged platform apps and most other domains. A
bit backwards, but removing it for third party apps would break
compatibility so it would have to be done at an API level bump. At
least, without deciding it is worth the cost like hidepid=2 in Android N
(which exposes no mechanism for exceptions in 3rd party apps, only the
base system).

If seccomp-bpf didn't imply such high system call overhead outside of
x86_64, Android would probably be walling off some new system calls. It
needs 2-phase lookup similar to x86 on ARM. Android kernels do avoid
enabling lots of kernel functionality from System V IPC to USERNS
though. New features wouldn't end up enabled if they were behind config
options without an explicit choice.

> Wouldn't the recent bump in perf_event_paranoid to 2 enough? I.e. only
> allow profiling of user tasks?

Most of the vulnerabilities are still exposed at 2. That prevents
leaking information about the kernel WITHOUT vulnerabilities though, and
would be an improvement when perf is disabled - but that doesn't really
matter much (Android kernel debugging and profiling would also still
work with 2).

> Or is there something more specific that we should disable/constrain
> to
> reduce such surface contact without using such a big hammer?

It's desired to have it globally disabled by default. Could use seccomp-
bpf to globally disable it, but that's a bigger hammer because it can't
be globally turned off without a reboot (could only profile newly
spawned processes after disabling it). Since it's only going to be
enabled by developers, trying to make it more fine-grained wouldn't
really pay off.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, back to index

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
2016-06-04 20:56     ` Jeffrey Vander Stoep
     [not found]     ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
2016-06-16 22:27       ` Kees Cook
2016-06-17  6:54         ` Peter Zijlstra
2016-06-17 16:16           ` Daniel Micay
2016-06-17 20:00             ` Arnaldo Carvalho de Melo
2016-06-18  0:51               ` Daniel Micay
2016-06-17  5:56   ` Alexander Shishkin
2016-06-17 12:18     ` Ben Hutchings
2016-06-17 15:24     ` [kernel-hardening] " Daniel Micay
2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
2016-01-21 14:25   ` Arnaldo Carvalho de Melo
2016-02-03 10:08   ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git