security: Apply and enable GRKERNSEC_PERF_HARDEN feature from Grsecurity
This disables use of perf_event_open() by unprivileged users by default (sysctl: kernel.perf_event_paranoid) svn path=/dists/trunk/linux/; revision=22892
This commit is contained in:
parent
97c02bf649
commit
621e438f4d
|
@ -32,6 +32,9 @@ linux (4.1.3-1) UNRELEASED; urgency=medium
|
||||||
* [x86] block: Enable BLK_DEV_PMEM as module; enable X86_PMEM_LEGACY
|
* [x86] block: Enable BLK_DEV_PMEM as module; enable X86_PMEM_LEGACY
|
||||||
* [x86] tpm: Enable TCG_CRB as module
|
* [x86] tpm: Enable TCG_CRB as module
|
||||||
* debug: Enable DEBUG_LIST
|
* debug: Enable DEBUG_LIST
|
||||||
|
* security: Apply and enable GRKERNSEC_PERF_HARDEN feature from Grsecurity,
|
||||||
|
disabling use of perf_event_open() by unprivileged users by default
|
||||||
|
(sysctl: kernel.perf_event_paranoid)
|
||||||
|
|
||||||
[ Ian Campbell ]
|
[ Ian Campbell ]
|
||||||
* [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.
|
* [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.
|
||||||
|
|
|
@ -5141,6 +5141,11 @@ CONFIG_XFS_RT=y
|
||||||
# CONFIG_XFS_WARN is not set
|
# CONFIG_XFS_WARN is not set
|
||||||
# CONFIG_XFS_DEBUG is not set
|
# CONFIG_XFS_DEBUG is not set
|
||||||
|
|
||||||
|
##
|
||||||
|
## file: grsecurity/Kconfig
|
||||||
|
##
|
||||||
|
CONFIG_GRKERNSEC_PERF_HARDEN=y
|
||||||
|
|
||||||
##
|
##
|
||||||
## file: init/Kconfig
|
## file: init/Kconfig
|
||||||
##
|
##
|
||||||
|
@ -6279,6 +6284,7 @@ CONFIG_NET_KEY_MIGRATE=y
|
||||||
##
|
##
|
||||||
## file: security/Kconfig
|
## file: security/Kconfig
|
||||||
##
|
##
|
||||||
|
CONFIG_GRKERNSEC=y
|
||||||
CONFIG_SECURITY=y
|
CONFIG_SECURITY=y
|
||||||
CONFIG_SECURITY_NETWORK=y
|
CONFIG_SECURITY_NETWORK=y
|
||||||
CONFIG_SECURITY_NETWORK_XFRM=y
|
CONFIG_SECURITY_NETWORK_XFRM=y
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Subject: grsecurity: GRKERNSEC_PERF_HARDEN
|
||||||
|
Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
|
||||||
|
|
||||||
|
The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the
|
||||||
|
option to disable perf_event_open() entirely for unprivileged users.
|
||||||
|
This standalone version doesn't include making the variable read-only
|
||||||
|
(or renaming it).
|
||||||
|
|
||||||
|
---
|
||||||
|
--- a/include/linux/perf_event.h
|
||||||
|
+++ b/include/linux/perf_event.h
|
||||||
|
@@ -851,6 +851,11 @@ extern int perf_cpu_time_max_percent_han
|
||||||
|
loff_t *ppos);
|
||||||
|
|
||||||
|
|
||||||
|
+static inline bool perf_paranoid_any(void)
|
||||||
|
+{
|
||||||
|
+ return sysctl_perf_event_paranoid > 2;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static inline bool perf_paranoid_tracepoint_raw(void)
|
||||||
|
{
|
||||||
|
return sysctl_perf_event_paranoid > -1;
|
||||||
|
--- a/kernel/events/core.c
|
||||||
|
+++ b/kernel/events/core.c
|
||||||
|
@@ -172,8 +172,13 @@ static struct srcu_struct pmus_srcu;
|
||||||
|
* 0 - disallow raw tracepoint access for unpriv
|
||||||
|
* 1 - disallow cpu events for unpriv
|
||||||
|
* 2 - disallow kernel profiling for unpriv
|
||||||
|
+ * 3 - disallow all unpriv perf event use
|
||||||
|
*/
|
||||||
|
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
|
||||||
|
+int sysctl_perf_event_paranoid __read_mostly = 3;
|
||||||
|
+#else
|
||||||
|
int sysctl_perf_event_paranoid __read_mostly = 1;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* Minimum for 512 kiB + 1 user control page */
|
||||||
|
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
|
||||||
|
@@ -7892,6 +7897,11 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||||
|
if (flags & ~PERF_FLAG_ALL)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
|
||||||
|
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
|
||||||
|
+ return -EACCES;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
err = perf_copy_attr(attr_uptr, &attr);
|
||||||
|
if (err)
|
||||||
|
return err;
|
||||||
|
--- a/grsecurity/Kconfig
|
||||||
|
+++ b/grsecurity/Kconfig
|
||||||
|
@@ -1,3 +1,21 @@
|
||||||
|
#
|
||||||
|
# grecurity configuration
|
||||||
|
#
|
||||||
|
+config GRKERNSEC_PERF_HARDEN
|
||||||
|
+ bool "Disable unprivileged PERF_EVENTS usage by default"
|
||||||
|
+ depends on PERF_EVENTS
|
||||||
|
+ help
|
||||||
|
+ If you say Y here, the range of acceptable values for the
|
||||||
|
+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
|
||||||
|
+ default to a new value: 3. When the sysctl is set to this value, no
|
||||||
|
+ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
|
||||||
|
+
|
||||||
|
+ Though PERF_EVENTS can be used legitimately for performance monitoring
|
||||||
|
+ and low-level application profiling, it is forced on regardless of
|
||||||
|
+ configuration, has been at fault for several vulnerabilities, and
|
||||||
|
+ creates new opportunities for side channels and other information leaks.
|
||||||
|
+
|
||||||
|
+ This feature puts PERF_EVENTS into a secure default state and permits
|
||||||
|
+ the administrator to change out of it temporarily if unprivileged
|
||||||
|
+ application profiling is needed.
|
||||||
|
+
|
|
@ -0,0 +1,42 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Subject: grsecurity: Kbuild integration
|
||||||
|
Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
|
||||||
|
|
||||||
|
Kbuild integration changes extracted from Grsecurity.
|
||||||
|
|
||||||
|
Subsequent patches will add to the empty Makefile.
|
||||||
|
|
||||||
|
--- a/Makefile
|
||||||
|
+++ b/Makefile
|
||||||
|
@@ -887,7 +887,7 @@ export mod_sign_cmd
|
||||||
|
|
||||||
|
|
||||||
|
ifeq ($(KBUILD_EXTMOD),)
|
||||||
|
-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
|
||||||
|
+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
|
||||||
|
|
||||||
|
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
|
||||||
|
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grsecurity/Makefile
|
||||||
|
@@ -0,0 +1,20 @@
|
||||||
|
+# grsecurity – access control and security hardening for Linux
|
||||||
|
+# All code in this directory and various hooks located throughout the Linux kernel are
|
||||||
|
+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
|
||||||
|
+# http://www.grsecurity.net spender@grsecurity.net
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or
|
||||||
|
+# modify it under the terms of the GNU General Public License version 2
|
||||||
|
+# as published by the Free Software Foundation.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program; if not, write to the Free Software
|
||||||
|
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
+
|
||||||
|
+KBUILD_CFLAGS += -Werror
|
||||||
|
+
|
|
@ -0,0 +1,47 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Subject: grsecurity: Kconfig integration
|
||||||
|
Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
|
||||||
|
|
||||||
|
Kconfig integration changes extracted from Grsecurity, with help
|
||||||
|
strings changed to make it clear that is not the real thing.
|
||||||
|
|
||||||
|
Subsequent patches will add to the empty menu.
|
||||||
|
|
||||||
|
---
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grsecurity/Kconfig
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+#
|
||||||
|
+# grecurity configuration
|
||||||
|
+#
|
||||||
|
--- a/security/Kconfig
|
||||||
|
+++ b/security/Kconfig
|
||||||
|
@@ -4,6 +4,28 @@
|
||||||
|
|
||||||
|
menu "Security options"
|
||||||
|
|
||||||
|
+menu "Hardening features (from Grsecurity)"
|
||||||
|
+
|
||||||
|
+config GRKERNSEC
|
||||||
|
+ bool "Hardening features (from Grsecurity)"
|
||||||
|
+ select DEBUG_KERNEL
|
||||||
|
+ select DEBUG_LIST
|
||||||
|
+ help
|
||||||
|
+ If you say Y here, you will be able to configure many features
|
||||||
|
+ that will enhance the security of your system. It is highly
|
||||||
|
+ recommended that you say Y here and read through the help
|
||||||
|
+ for each option so that you fully understand the features and
|
||||||
|
+ can evaluate their usefulness for your machine.
|
||||||
|
+
|
||||||
|
+menu "Customize Configuration"
|
||||||
|
+depends on GRKERNSEC
|
||||||
|
+
|
||||||
|
+source grsecurity/Kconfig
|
||||||
|
+
|
||||||
|
+endmenu
|
||||||
|
+
|
||||||
|
+endmenu
|
||||||
|
+
|
||||||
|
source security/keys/Kconfig
|
||||||
|
|
||||||
|
config SECURITY_DMESG_RESTRICT
|
|
@ -90,3 +90,9 @@ bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
||||||
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
|
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
|
||||||
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
|
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
|
||||||
bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
|
bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||||
|
|
||||||
|
# Hardening from grsecurity
|
||||||
|
features/all/grsecurity/grsecurity-kconfig.patch
|
||||||
|
# Disabled until we add code into the grsecurity/ directory
|
||||||
|
#features/all/grsecurity/grsecurity-kbuild.patch
|
||||||
|
features/all/grsecurity/grkernsec_perf_harden.patch
|
||||||
|
|
Loading…
Reference in New Issue