Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 020b443d authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Alistair Delva
Browse files

Revert "ANDROID: security,perf: Allow further restriction of perf_event_open" 

Unfork Android.

This reverts commit 5dbd8df7.

Perf_event_paranoid=3 is no longer needed on Android. Access control
of perf events is now done by selinux. See:
https://patchwork.kernel.org/patch/11185793/



IGNORE_MERGE_CONFLICT_CHECK==kernel.rst documentation uses "====".

Bug: 120445712
Bug: 137092007
Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
Change-Id: Iba493424174b30baff460caaa25a54a472c87bd4
parent dc34c9f1

Documentation/admin-guide/sysctl/kernel.rst

+1 −4
Original line number Diff line number Diff line
@@ -720,8 +720,7 @@ perf_event_paranoid: 
====================



Controls use of the performance events system by unprivileged

users (without CAP_SYS_ADMIN).  The default value is 3 if

CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.

users (without CAP_SYS_ADMIN).  The default value is 2.



===  ==================================================================

 -1  Allow use of (almost) all events by all users
@@ -735,8 +734,6 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise. 
>=1  Disallow CPU event access by users without CAP_SYS_ADMIN



>=2  Disallow kernel profiling by users without CAP_SYS_ADMIN



>=3: Disallow all event access by users without CAP_SYS_ADMIN

===  ==================================================================

arch/arm64/configs/gki_defconfig

+0 −1
Original line number Diff line number Diff line
@@ -472,7 +472,6 @@ CONFIG_NLS_MAC_INUIT=y 
CONFIG_NLS_MAC_ROMANIAN=y

CONFIG_NLS_MAC_TURKISH=y

CONFIG_NLS_UTF8=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_HARDENED_USERCOPY=y

arch/x86/configs/gki_defconfig

+0 −1
Original line number Diff line number Diff line
@@ -405,7 +405,6 @@ CONFIG_NLS_MAC_INUIT=y 
CONFIG_NLS_MAC_ROMANIAN=y

CONFIG_NLS_MAC_TURKISH=y

CONFIG_NLS_UTF8=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_HARDENED_USERCOPY=y

include/linux/perf_event.h

+0 −5
Original line number Diff line number Diff line
@@ -1253,11 +1253,6 @@ int perf_event_max_stack_handler(struct ctl_table *table, int write, 
#define PERF_SECURITY_KERNEL		2

#define PERF_SECURITY_TRACEPOINT	3



static inline bool perf_paranoid_any(void)

{

	return sysctl_perf_event_paranoid > 2;

}



static inline int perf_is_paranoid(void)

{

	return sysctl_perf_event_paranoid > -1;

kernel/events/core.c

+0 −8
Original line number Diff line number Diff line
@@ -398,13 +398,8 @@ static cpumask_var_t perf_online_mask; 
 *   0 - disallow raw tracepoint access for unpriv

 *   1 - disallow cpu events for unpriv

 *   2 - disallow kernel profiling for unpriv

 *   3 - disallow all unpriv perf event use

 */

#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT

int sysctl_perf_event_paranoid __read_mostly = 3;

#else

int sysctl_perf_event_paranoid __read_mostly = 2;

#endif



/* Minimum for 512 kiB + 1 user control page */

int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
@@ -10927,9 +10922,6 @@ SYSCALL_DEFINE5(perf_event_open, 
	if (flags & ~PERF_FLAG_ALL)

		return -EINVAL;



	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))

		return -EACCES;



	/* Do we allow access to perf_event_open(2) ? */

	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);

	if (err)