Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 025a1ee6 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Alistair Delva
Browse files

Revert "ANDROID: security,perf: Allow further restriction of perf_event_open" 

Unfork Android.

This reverts commit 8e5e42d5.

Perf_event_paranoid=3 is no longer needed on Android. Access control
of perf events is now done by selinux. See:
https://patchwork.kernel.org/patch/11185793/



Bug: 120445712
Bug: 137092007
Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
Change-Id: Iba493424174b30baff460caaa25a54a472c87bd4
parent c3f91ecb

Documentation/sysctl/kernel.txt

+1 −3
Original line number Diff line number Diff line
@@ -693,8 +693,7 @@ allowed to execute. 
perf_event_paranoid:



Controls use of the performance events system by unprivileged

users (without CAP_SYS_ADMIN).  The default value is 3 if

CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.

users (without CAP_SYS_ADMIN).  The default value is 2.



 -1: Allow use of (almost) all events by all users

     Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
@@ -702,7 +701,6 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise. 
     Disallow raw tracepoint access by users without CAP_SYS_ADMIN

>=1: Disallow CPU event access by users without CAP_SYS_ADMIN

>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

>=3: Disallow all event access by users without CAP_SYS_ADMIN



==============================================================

arch/arm64/configs/gki_defconfig

+0 −1
Original line number Diff line number Diff line
@@ -464,7 +464,6 @@ CONFIG_NLS_MAC_INUIT=y 
CONFIG_NLS_MAC_ROMANIAN=y

CONFIG_NLS_MAC_TURKISH=y

CONFIG_NLS_UTF8=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_HARDENED_USERCOPY=y

arch/x86/configs/gki_defconfig

+0 −1
Original line number Diff line number Diff line
@@ -401,7 +401,6 @@ CONFIG_NLS_MAC_INUIT=y 
CONFIG_NLS_MAC_ROMANIAN=y

CONFIG_NLS_MAC_TURKISH=y

CONFIG_NLS_UTF8=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_HARDENED_USERCOPY=y

include/linux/perf_event.h

+0 −5
Original line number Diff line number Diff line
@@ -1206,11 +1206,6 @@ int perf_event_max_stack_handler(struct ctl_table *table, int write, 
#define PERF_SECURITY_KERNEL		2

#define PERF_SECURITY_TRACEPOINT	3



static inline bool perf_paranoid_any(void)

{

	return sysctl_perf_event_paranoid > 2;

}



static inline int perf_is_paranoid(void)

{

	return sysctl_perf_event_paranoid > -1;

kernel/events/core.c

+0 −8
Original line number Diff line number Diff line
@@ -397,13 +397,8 @@ static cpumask_var_t perf_online_mask; 
 *   0 - disallow raw tracepoint access for unpriv

 *   1 - disallow cpu events for unpriv

 *   2 - disallow kernel profiling for unpriv

 *   3 - disallow all unpriv perf event use

 */

#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT

int sysctl_perf_event_paranoid __read_mostly = 3;

#else

int sysctl_perf_event_paranoid __read_mostly = 2;

#endif



/* Minimum for 512 kiB + 1 user control page */

int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -10550,9 +10545,6 @@ SYSCALL_DEFINE5(perf_event_open, 
	if (flags & ~PERF_FLAG_ALL)

		return -EINVAL;



	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))

		return -EACCES;



	/* Do we allow access to perf_event_open(2) ? */

	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);

	if (err)