From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
To: Ben Hutchings <ben@decadent.org.uk>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
Date: Fri, 17 Jun 2016 08:56:46 +0300 [thread overview]
Message-ID: <871t3wuzmp.fsf@ashishki-desk.ger.corp.intel.com> (raw)
In-Reply-To: <20160111152355.GS28542@decadent.org.uk>
Ben Hutchings <ben@decadent.org.uk> writes:
> When kernel.perf_event_open is set to 3 (or greater), disallow all
> access to performance events by users without CAP_SYS_ADMIN.
> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> makes this value the default.
So this patch does two things, can it then be made into two patches?
>
> This is based on a similar feature in grsecurity
> (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
> the variable read-only. It also allows enabling further restriction
> at run-time regardless of whether the default is changed.
This paragraph doesn't seem to belong in the commit message.
What this commit message is missing entirely is the rationale behind
this change other than "grsecurity does the same". Can you please
elaborate?
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> I made a similar change to Debian's kernel packages in August,
> including the more restrictive default, and no-one has complained yet.
As a debian user, is this a good place to complain? Because it does get
it the way.
Thanks,
--
Alex
next prev parent reply other threads:[~2016-06-17 5:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
2016-04-13 16:12 ` [kernel-hardening] " Kees Cook
2016-06-04 20:56 ` Jeffrey Vander Stoep
[not found] ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
2016-06-16 22:27 ` Kees Cook
2016-06-17 6:54 ` Peter Zijlstra
2016-06-17 16:16 ` Daniel Micay
2016-06-17 20:00 ` Arnaldo Carvalho de Melo
2016-06-18 0:51 ` Daniel Micay
2016-06-17 5:56 ` Alexander Shishkin [this message]
2016-06-17 12:18 ` Ben Hutchings
2016-06-17 15:24 ` [kernel-hardening] " Daniel Micay
2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
2016-01-21 14:25 ` Arnaldo Carvalho de Melo
2016-02-03 10:08 ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871t3wuzmp.fsf@ashishki-desk.ger.corp.intel.com \
--to=alexander.shishkin@linux.intel.com \
--cc=ben@decadent.org.uk \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).