LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open
Date: Thu, 16 Jun 2016 15:27:55 -0700
Message-ID: <CAGXu5j+D00zz7dVPX4LpW41Gk=m7G_h25vZgOyYdVbW+wyvj6Q@mail.gmail.com> (raw)
In-Reply-To: <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>

Hi guys,

This patch wasn't originally CCed to you (I'm fixing that now). Would
you consider taking this into the perf tree? It's been in active use
in both Debian and Android for a while now.

(If need be, I can resend it.)

Thanks!

-Kees

On Sat, Jun 4, 2016 at 1:49 PM, Jeffrey Vander Stoep <jeffv@google.com> wrote:
> Acked-by: Jeff Vander Stoep <jeffv@google.com>
>
> In addition to Debian, this patch has been merged into AOSP and is a
> requirement for Android:
> https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>
>
> On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keescook@chromium.org> wrote:
>> On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <ben@decadent.org.uk>
>> wrote:
>>> When kernel.perf_event_open is set to 3 (or greater), disallow all
>>> access to performance events by users without CAP_SYS_ADMIN.
>>> Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
>>> makes this value the default.
>>>
>>> This is based on a similar feature in grsecurity
>>> (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
>>> the variable read-only.  It also allows enabling further restriction
>>> at run-time regardless of whether the default is changed.
>>>
>>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>>
>> Whoops, I entirely missed this email! Just found it now.
>>
>> Ben, can you resend this with Perf maintainers in CC? This seems
>> sensible enough to me.
>>
>> -Kees
>>
>>> ---
>>> I made a similar change to Debian's kernel packages in August,
>>> including the more restrictive default, and no-one has complained yet.
>>>
>>> Ben.
>>>
>>>  Documentation/sysctl/kernel.txt | 4 +++-
>>>  include/linux/perf_event.h      | 5 +++++
>>>  kernel/events/core.c            | 8 ++++++++
>>>  security/Kconfig                | 9 +++++++++
>>>  4 files changed, 25 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/Documentation/sysctl/kernel.txt
>>> b/Documentation/sysctl/kernel.txt
>>> index 88a2c8e..76e2ca8 100644
>>> --- a/Documentation/sysctl/kernel.txt
>>> +++ b/Documentation/sysctl/kernel.txt
>>> @@ -629,12 +629,14 @@ allowed to execute.
>>>  perf_event_paranoid:
>>>
>>>  Controls use of the performance events system by unprivileged
>>> -users (without CAP_SYS_ADMIN).  The default value is 1.
>>> +users (without CAP_SYS_ADMIN).  The default value is 3 if
>>> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
>>>
>>>   -1: Allow use of (almost) all events by all users
>>>  >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>>>  >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>>>  >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
>>> +>=3: Disallow all event access by users without CAP_SYS_ADMIN
>>>
>>>  ==============================================================
>>>
>>> diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
>>> index f9828a4..aa72940 100644
>>> --- a/include/linux/perf_event.h
>>> +++ b/include/linux/perf_event.h
>>> @@ -989,6 +989,11 @@ extern int perf_cpu_time_max_percent_handler(struct
>>> ctl_table *table, int write,
>>>                 loff_t *ppos);
>>>
>>>
>>> +static inline bool perf_paranoid_any(void)
>>> +{
>>> +       return sysctl_perf_event_paranoid > 2;
>>> +}
>>> +
>>>  static inline bool perf_paranoid_tracepoint_raw(void)
>>>  {
>>>         return sysctl_perf_event_paranoid > -1;
>>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>>> index cfc227c..85bc810 100644
>>> --- a/kernel/events/core.c
>>> +++ b/kernel/events/core.c
>>> @@ -175,8 +175,13 @@ static struct srcu_struct pmus_srcu;
>>>   *   0 - disallow raw tracepoint access for unpriv
>>>   *   1 - disallow cpu events for unpriv
>>>   *   2 - disallow kernel profiling for unpriv
>>> + *   3 - disallow all unpriv perf event use
>>>   */
>>> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>>> +int sysctl_perf_event_paranoid __read_mostly = 3;
>>> +#else
>>>  int sysctl_perf_event_paranoid __read_mostly = 1;
>>> +#endif
>>>
>>>  /* Minimum for 512 kiB + 1 user control page */
>>>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /*
>>> 'free' kiB per user */
>>> @@ -8265,6 +8270,9 @@ SYSCALL_DEFINE5(perf_event_open,
>>>         if (flags & ~PERF_FLAG_ALL)
>>>                 return -EINVAL;
>>>
>>> +       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
>>> +               return -EACCES;
>>> +
>>>         err = perf_copy_attr(attr_uptr, &attr);
>>>         if (err)
>>>                 return err;
>>> diff --git a/security/Kconfig b/security/Kconfig
>>> index e452378..30a2603 100644
>>> --- a/security/Kconfig
>>> +++ b/security/Kconfig
>>> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>>>
>>>           If you are unsure how to answer this question, answer N.
>>>
>>> +config SECURITY_PERF_EVENTS_RESTRICT
>>> +       bool "Restrict unprivileged use of performance events"
>>> +       depends on PERF_EVENTS
>>> +       help
>>> +         If you say Y here, the kernel.perf_event_paranoid sysctl
>>> +         will be set to 3 by default, and no unprivileged use of the
>>> +         perf_event_open syscall will be permitted unless it is
>>> +         changed.
>>> +
>>>  config SECURITY
>>>         bool "Enable different security models"
>>>         depends on SYSFS
>>
>>
>>
>> --
>> Kees Cook
>> Chrome OS & Brillo Security
>



-- 
Kees Cook
Chrome OS & Brillo Security

  parent reply index

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-11 15:19 [PATCH 0/2] Document and extend kernel.perf_event_paranoid Ben Hutchings
2016-01-11 15:21 ` [PATCH 1/2] Documentation,perf: Document the perf sysctls Ben Hutchings
2016-01-11 15:23 ` [PATCH 2/2] security,perf: Allow further restriction of perf_event_open Ben Hutchings
2016-04-13 16:12   ` [kernel-hardening] " Kees Cook
2016-06-04 20:56     ` Jeffrey Vander Stoep
     [not found]     ` <CABXk95BE3wpgq-Y08G+Z3ZJbxJwgiuVvtQGaV4n-tD6GKNiFKg@mail.gmail.com>
2016-06-16 22:27       ` Kees Cook [this message]
2016-06-17  6:54         ` Peter Zijlstra
2016-06-17 16:16           ` Daniel Micay
2016-06-17 20:00             ` Arnaldo Carvalho de Melo
2016-06-18  0:51               ` Daniel Micay
2016-06-17  5:56   ` Alexander Shishkin
2016-06-17 12:18     ` Ben Hutchings
2016-06-17 15:24     ` [kernel-hardening] " Daniel Micay
2016-01-19 21:35 ` [PATCH RESEND] perf: Document the perf sysctls Ben Hutchings
2016-01-21 14:25   ` Arnaldo Carvalho de Melo
2016-02-03 10:08   ` [tip:perf/core] perf tools: " tip-bot for Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5j+D00zz7dVPX4LpW41Gk=m7G_h25vZgOyYdVbW+wyvj6Q@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=acme@kernel.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git