Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8e5e42d5 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Alistair Strachan
Browse files

ANDROID: security,perf: Allow further restriction of perf_event_open 

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

https://lkml.org/lkml/2016/1/11/587

Bug: 29054680
Bug: 120445712
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
[jeffv: Upstream doesn't want it https://lkml.org/lkml/2016/6/17/101

]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 6a82b2aa

Documentation/sysctl/kernel.txt

+3 −1
Original line number Diff line number Diff line
@@ -693,7 +693,8 @@ allowed to execute. 
perf_event_paranoid:



Controls use of the performance events system by unprivileged

users (without CAP_SYS_ADMIN).  The default value is 2.

users (without CAP_SYS_ADMIN).  The default value is 3 if

CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.



 -1: Allow use of (almost) all events by all users

     Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
@@ -701,6 +702,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. 
     Disallow raw tracepoint access by users without CAP_SYS_ADMIN

>=1: Disallow CPU event access by users without CAP_SYS_ADMIN

>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

>=3: Disallow all event access by users without CAP_SYS_ADMIN



==============================================================

include/linux/perf_event.h

+5 −0
Original line number Diff line number Diff line
@@ -1179,6 +1179,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, 
int perf_event_max_stack_handler(struct ctl_table *table, int write,

				 void __user *buffer, size_t *lenp, loff_t *ppos);



static inline bool perf_paranoid_any(void)

{

	return sysctl_perf_event_paranoid > 2;

}



static inline bool perf_paranoid_tracepoint_raw(void)

{

	return sysctl_perf_event_paranoid > -1;

kernel/events/core.c

+8 −0
Original line number Diff line number Diff line
@@ -397,8 +397,13 @@ static cpumask_var_t perf_online_mask; 
 *   0 - disallow raw tracepoint access for unpriv

 *   1 - disallow cpu events for unpriv

 *   2 - disallow kernel profiling for unpriv

 *   3 - disallow all unpriv perf event use

 */

#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT

int sysctl_perf_event_paranoid __read_mostly = 3;

#else

int sysctl_perf_event_paranoid __read_mostly = 2;

#endif



/* Minimum for 512 kiB + 1 user control page */

int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -10410,6 +10415,9 @@ SYSCALL_DEFINE5(perf_event_open, 
	if (flags & ~PERF_FLAG_ALL)

		return -EINVAL;



	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))

		return -EACCES;



	err = perf_copy_attr(attr_uptr, &attr);

	if (err)

		return err;

security/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT 


	  If you are unsure how to answer this question, answer N.



config SECURITY_PERF_EVENTS_RESTRICT

	bool "Restrict unprivileged use of performance events"

	depends on PERF_EVENTS

	help

	  If you say Y here, the kernel.perf_event_paranoid sysctl

	  will be set to 3 by default, and no unprivileged use of the

	  perf_event_open syscall will be permitted unless it is

	  changed.



config SECURITY

	bool "Enable different security models"

	depends on SYSFS