From: Jeff Vander Stoep <jeffv@google.com>
To: kernel-hardening@lists.openwall.com
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
Jeff Vander Stoep <jeffv@google.com>
Subject: [PATCH 2/2] security, perf: Add config option to restrict perf_event_open
Date: Wed, 27 Jul 2016 07:46:23 -0700 [thread overview]
Message-ID: <1469630783-32413-1-git-send-email-jeffv@google.com> (raw)
When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid
sysctl will be set to 3 by default, and no unprivileged use of the
perf_event_open syscall will be permitted unless it is changed.
This new level of restriction is intended to reduce the attack
surface of the kernel. It allows for a safe default to be set on
production systems at build time while leaving a simple means for
developers to grant access.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
Documentation/sysctl/kernel.txt | 3 ++-
kernel/events/core.c | 4 ++++
security/Kconfig | 9 +++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index fac9798..52daff6 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -659,7 +659,8 @@ allowed to execute.
perf_event_paranoid:
Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN). The default value is 2.
+users (without CAP_SYS_ADMIN). The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 52bd100..df9df87 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
* 2 - disallow kernel profiling for unpriv
* 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
diff --git a/security/Kconfig b/security/Kconfig
index df28f2b..2a93551 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS
--
2.8.0.rc3.226.g39d4020
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Vander Stoep <jeffv@google.com>
To: kernel-hardening@lists.openwall.com
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
Jeff Vander Stoep <jeffv@google.com>
Subject: [kernel-hardening] [PATCH 2/2] security, perf: Add config option to restrict perf_event_open
Date: Wed, 27 Jul 2016 07:46:23 -0700 [thread overview]
Message-ID: <1469630783-32413-1-git-send-email-jeffv@google.com> (raw)
When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid
sysctl will be set to 3 by default, and no unprivileged use of the
perf_event_open syscall will be permitted unless it is changed.
This new level of restriction is intended to reduce the attack
surface of the kernel. It allows for a safe default to be set on
production systems at build time while leaving a simple means for
developers to grant access.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
Documentation/sysctl/kernel.txt | 3 ++-
kernel/events/core.c | 4 ++++
security/Kconfig | 9 +++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index fac9798..52daff6 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -659,7 +659,8 @@ allowed to execute.
perf_event_paranoid:
Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN). The default value is 2.
+users (without CAP_SYS_ADMIN). The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 52bd100..df9df87 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
* 2 - disallow kernel profiling for unpriv
* 3 - disallow all unpriv perf event use
*/
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
diff --git a/security/Kconfig b/security/Kconfig
index df28f2b..2a93551 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+config SECURITY_PERF_EVENTS_RESTRICT
+ bool "Restrict unprivileged use of performance events"
+ depends on PERF_EVENTS
+ help
+ If you say Y here, the kernel.perf_event_paranoid sysctl
+ will be set to 3 by default, and no unprivileged use of the
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
config SECURITY
bool "Enable different security models"
depends on SYSFS
--
2.8.0.rc3.226.g39d4020
next reply other threads:[~2016-07-27 14:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 14:46 Jeff Vander Stoep [this message]
2016-07-27 14:46 ` [kernel-hardening] [PATCH 2/2] security, perf: Add config option to restrict perf_event_open Jeff Vander Stoep
2016-07-27 20:43 ` Kees Cook
2016-07-27 20:43 ` [kernel-hardening] " Kees Cook
2016-08-02 9:55 ` Peter Zijlstra
2016-08-02 9:55 ` [kernel-hardening] " Peter Zijlstra
2016-08-02 15:19 ` Kees Cook
2016-08-02 15:19 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469630783-32413-1-git-send-email-jeffv@google.com \
--to=jeffv@google.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.