Loading Documentation/sysctl/kernel.txt +3 −1 Original line number Diff line number Diff line Loading @@ -617,12 +617,14 @@ the existing panic controls already in that directory. perf_event_paranoid: Controls use of the performance events system by unprivileged users (without CAP_SYS_ADMIN). The default value is 1. users (without CAP_SYS_ADMIN). The default value is 3 if CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. -1: Allow use of (almost) all events by all users >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN >=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== Loading include/linux/perf_event.h +5 −0 Original line number Diff line number Diff line Loading @@ -753,6 +753,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, loff_t *ppos); static inline bool perf_paranoid_any(void) { return sysctl_perf_event_paranoid > 2; } static inline bool perf_paranoid_tracepoint_raw(void) { return sysctl_perf_event_paranoid > -1; Loading kernel/events/core.c +6 −0 Original line number Diff line number Diff line Loading @@ -171,9 +171,12 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv * 3 - disallow all unpriv perf event use */ #ifdef CONFIG_PERF_EVENTS_USERMODE int sysctl_perf_event_paranoid __read_mostly = -1; #elif defined CONFIG_SECURITY_PERF_EVENTS_RESTRICT int sysctl_perf_event_paranoid __read_mostly = 3; #else int sysctl_perf_event_paranoid __read_mostly = 1; #endif Loading Loading @@ -7311,6 +7314,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) return -EACCES; err = perf_copy_attr(attr_uptr, &attr); if (err) return err; Loading security/Kconfig +9 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. config SECURITY_PERF_EVENTS_RESTRICT bool "Restrict unprivileged use of performance events" depends on PERF_EVENTS help If you say Y here, the kernel.perf_event_paranoid sysctl will be set to 3 by default, and no unprivileged use of the perf_event_open syscall will be permitted unless it is changed. config SECURITY bool "Enable different security models" depends on SYSFS Loading Loading
Documentation/sysctl/kernel.txt +3 −1 Original line number Diff line number Diff line Loading @@ -617,12 +617,14 @@ the existing panic controls already in that directory. perf_event_paranoid: Controls use of the performance events system by unprivileged users (without CAP_SYS_ADMIN). The default value is 1. users (without CAP_SYS_ADMIN). The default value is 3 if CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise. -1: Allow use of (almost) all events by all users >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN >=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== Loading
include/linux/perf_event.h +5 −0 Original line number Diff line number Diff line Loading @@ -753,6 +753,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, loff_t *ppos); static inline bool perf_paranoid_any(void) { return sysctl_perf_event_paranoid > 2; } static inline bool perf_paranoid_tracepoint_raw(void) { return sysctl_perf_event_paranoid > -1; Loading
kernel/events/core.c +6 −0 Original line number Diff line number Diff line Loading @@ -171,9 +171,12 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv * 3 - disallow all unpriv perf event use */ #ifdef CONFIG_PERF_EVENTS_USERMODE int sysctl_perf_event_paranoid __read_mostly = -1; #elif defined CONFIG_SECURITY_PERF_EVENTS_RESTRICT int sysctl_perf_event_paranoid __read_mostly = 3; #else int sysctl_perf_event_paranoid __read_mostly = 1; #endif Loading Loading @@ -7311,6 +7314,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) return -EACCES; err = perf_copy_attr(attr_uptr, &attr); if (err) return err; Loading
security/Kconfig +9 −0 Original line number Diff line number Diff line Loading @@ -23,6 +23,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. config SECURITY_PERF_EVENTS_RESTRICT bool "Restrict unprivileged use of performance events" depends on PERF_EVENTS help If you say Y here, the kernel.perf_event_paranoid sysctl will be set to 3 by default, and no unprivileged use of the perf_event_open syscall will be permitted unless it is changed. config SECURITY bool "Enable different security models" depends on SYSFS Loading
