LKML Archive on
 help / color / Atom feed
From: Alexander Shishkin <>
To: Ben Hutchings <>,,,
Subject: Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
Date: Fri, 17 Jun 2016 08:56:46 +0300
Message-ID: <> (raw)
In-Reply-To: <>

Ben Hutchings <> writes:

> When kernel.perf_event_open is set to 3 (or greater), disallow all
> access to performance events by users without CAP_SYS_ADMIN.
> makes this value the default.

So this patch does two things, can it then be made into two patches?

> This is based on a similar feature in grsecurity
> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
> the variable read-only.  It also allows enabling further restriction
> at run-time regardless of whether the default is changed.

This paragraph doesn't seem to belong in the commit message.

What this commit message is missing entirely is the rationale behind
this change other than "grsecurity does the same". Can you please

> Signed-off-by: Ben Hutchings <>
> ---
> I made a similar change to Debian's kernel packages in August,
> including the more restrictive default, and no-one has complained yet.

As a debian user, is this a good place to complain? Because it does get
it the way.


  parent reply index

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
2016-06-04 20:56     ` Jeffrey Vander Stoep
     [not found]     ` <>
2016-06-16 22:27       ` Kees Cook
2016-06-17  6:54         ` Peter Zijlstra
2016-06-17 16:16           ` Daniel Micay
2016-06-17 20:00             ` Arnaldo Carvalho de Melo
2016-06-18  0:51               ` Daniel Micay
2016-06-17  5:56   ` Alexander Shishkin [this message]
2016-06-17 12:18     ` Ben Hutchings
2016-06-17 15:24     ` [kernel-hardening] " Daniel Micay
2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
2016-01-21 14:25   ` Arnaldo Carvalho de Melo
2016-02-03 10:08   ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git
	git clone --mirror lkml/git/8.git
	git clone --mirror lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone