Revert "ANDROID: security,perf: Allow further restriction of perf_event_open"

perf_event_paranoid:

perf_event_paranoid:

Controls use of the performance events system by unprivileged

Controls use of the performance events system by unprivileged

users (without CAP_SYS_ADMIN).  The default value is 3 if

users (without CAP_SYS_ADMIN).  The default value is 2.

CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.

 -1: Allow use of (almost) all events by all users

 -1: Allow use of (almost) all events by all users

     Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK

     Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK

     Disallow raw tracepoint access by users without CAP_SYS_ADMIN

     Disallow raw tracepoint access by users without CAP_SYS_ADMIN

>=1: Disallow CPU event access by users without CAP_SYS_ADMIN

>=1: Disallow CPU event access by users without CAP_SYS_ADMIN

>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN

>=3: Disallow all event access by users without CAP_SYS_ADMIN

==============================================================

==============================================================

CONFIG_SCHEDSTATS=y

CONFIG_SCHEDSTATS=y

CONFIG_RCU_CPU_STALL_TIMEOUT=60

CONFIG_RCU_CPU_STALL_TIMEOUT=60

CONFIG_ENABLE_DEFAULT_TRACERS=y

CONFIG_ENABLE_DEFAULT_TRACERS=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_NETWORK=y

CONFIG_LSM_MMAP_MIN_ADDR=65536

CONFIG_LSM_MMAP_MIN_ADDR=65536

CONFIG_DEBUG_BOOT_PARAMS=y

CONFIG_DEBUG_BOOT_PARAMS=y

CONFIG_OPTIMIZE_INLINING=y

CONFIG_OPTIMIZE_INLINING=y

CONFIG_UNWINDER_FRAME_POINTER=y

CONFIG_UNWINDER_FRAME_POINTER=y

CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_PATH=y

CONFIG_SECURITY_PATH=y

#define PERF_SECURITY_KERNEL		2

#define PERF_SECURITY_KERNEL		2

#define PERF_SECURITY_TRACEPOINT	3

#define PERF_SECURITY_TRACEPOINT	3

static inline bool perf_paranoid_any(void)

{

	return sysctl_perf_event_paranoid > 2;

}

static inline int perf_is_paranoid(void)

static inline int perf_is_paranoid(void)

{

{

	return sysctl_perf_event_paranoid > -1;

	return sysctl_perf_event_paranoid > -1;

 *   0 - disallow raw tracepoint access for unpriv

 *   0 - disallow raw tracepoint access for unpriv

 *   1 - disallow cpu events for unpriv

 *   1 - disallow cpu events for unpriv

 *   2 - disallow kernel profiling for unpriv

 *   2 - disallow kernel profiling for unpriv

 *   3 - disallow all unpriv perf event use

 */

 */

#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT

int sysctl_perf_event_paranoid __read_mostly = 3;

#else

int sysctl_perf_event_paranoid __read_mostly = 2;

int sysctl_perf_event_paranoid __read_mostly = 2;

#endif

/* Minimum for 512 kiB + 1 user control page */

/* Minimum for 512 kiB + 1 user control page */

int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */

int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */

	if (flags & ~PERF_FLAG_ALL)

	if (flags & ~PERF_FLAG_ALL)

		return -EINVAL;

		return -EINVAL;

	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))

		return -EACCES;

	/* Do we allow access to perf_event_open(2) ? */

	/* Do we allow access to perf_event_open(2) ? */

	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);

	err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);

	if (err)

	if (err)