security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version submitted upstream
This hasn't been *accepted* upstream, but maybe some day? It has gone into AOSP.
This commit is contained in:
parent
357c2335a5
commit
6573a2a7c7
|
@ -13,6 +13,8 @@ linux (4.8-1~exp1) UNRELEASED; urgency=medium
|
||||||
* [mips*] Enable RANDOMIZE_BASE
|
* [mips*] Enable RANDOMIZE_BASE
|
||||||
* Enable SLAB_FREELIST_RANDOM
|
* Enable SLAB_FREELIST_RANDOM
|
||||||
* [arm*,powerpc*,s390x,sparc64,x86] Enable HARDENED_USERCOPY
|
* [arm*,powerpc*,s390x,sparc64,x86] Enable HARDENED_USERCOPY
|
||||||
|
* security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version
|
||||||
|
submitted upstream
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 01 Oct 2016 21:51:33 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Sat, 01 Oct 2016 21:51:33 +0100
|
||||||
|
|
||||||
|
|
|
@ -5459,11 +5459,6 @@ CONFIG_XFS_RT=y
|
||||||
# CONFIG_XFS_WARN is not set
|
# CONFIG_XFS_WARN is not set
|
||||||
# CONFIG_XFS_DEBUG is not set
|
# CONFIG_XFS_DEBUG is not set
|
||||||
|
|
||||||
##
|
|
||||||
## file: grsecurity/Kconfig
|
|
||||||
##
|
|
||||||
CONFIG_GRKERNSEC_PERF_HARDEN=y
|
|
||||||
|
|
||||||
##
|
##
|
||||||
## file: init/Kconfig
|
## file: init/Kconfig
|
||||||
##
|
##
|
||||||
|
@ -6649,6 +6644,7 @@ CONFIG_NET_KEY_MIGRATE=y
|
||||||
## file: security/Kconfig
|
## file: security/Kconfig
|
||||||
##
|
##
|
||||||
CONFIG_GRKERNSEC=y
|
CONFIG_GRKERNSEC=y
|
||||||
|
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
|
||||||
CONFIG_SECURITY=y
|
CONFIG_SECURITY=y
|
||||||
CONFIG_SECURITY_NETWORK=y
|
CONFIG_SECURITY_NETWORK=y
|
||||||
CONFIG_SECURITY_NETWORK_XFRM=y
|
CONFIG_SECURITY_NETWORK_XFRM=y
|
||||||
|
|
|
@ -1,76 +0,0 @@
|
||||||
From: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Subject: grsecurity: GRKERNSEC_PERF_HARDEN
|
|
||||||
Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
|
|
||||||
|
|
||||||
The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the
|
|
||||||
option to disable perf_event_open() entirely for unprivileged users.
|
|
||||||
This standalone version doesn't include making the variable read-only
|
|
||||||
(or renaming it).
|
|
||||||
|
|
||||||
---
|
|
||||||
--- a/include/linux/perf_event.h
|
|
||||||
+++ b/include/linux/perf_event.h
|
|
||||||
@@ -1122,6 +1122,11 @@ extern int perf_cpu_time_max_percent_han
|
|
||||||
int perf_event_max_stack_handler(struct ctl_table *table, int write,
|
|
||||||
void __user *buffer, size_t *lenp, loff_t *ppos);
|
|
||||||
|
|
||||||
+static inline bool perf_paranoid_any(void)
|
|
||||||
+{
|
|
||||||
+ return sysctl_perf_event_paranoid > 2;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static inline bool perf_paranoid_tracepoint_raw(void)
|
|
||||||
{
|
|
||||||
return sysctl_perf_event_paranoid > -1;
|
|
||||||
--- a/kernel/events/core.c
|
|
||||||
+++ b/kernel/events/core.c
|
|
||||||
@@ -352,8 +352,13 @@ static struct srcu_struct pmus_srcu;
|
|
||||||
* 0 - disallow raw tracepoint access for unpriv
|
|
||||||
* 1 - disallow cpu events for unpriv
|
|
||||||
* 2 - disallow kernel profiling for unpriv
|
|
||||||
+ * 3 - disallow all unpriv perf event use
|
|
||||||
*/
|
|
||||||
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
|
|
||||||
+int sysctl_perf_event_paranoid __read_mostly = 3;
|
|
||||||
+#else
|
|
||||||
int sysctl_perf_event_paranoid __read_mostly = 2;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Minimum for 512 kiB + 1 user control page */
|
|
||||||
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
|
|
||||||
@@ -9181,6 +9186,11 @@ SYSCALL_DEFINE5(perf_event_open,
|
|
||||||
if (flags & ~PERF_FLAG_ALL)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
|
|
||||||
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
|
|
||||||
+ return -EACCES;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
err = perf_copy_attr(attr_uptr, &attr);
|
|
||||||
if (err)
|
|
||||||
return err;
|
|
||||||
--- a/grsecurity/Kconfig
|
|
||||||
+++ b/grsecurity/Kconfig
|
|
||||||
@@ -1,3 +1,21 @@
|
|
||||||
#
|
|
||||||
# grecurity configuration
|
|
||||||
#
|
|
||||||
+config GRKERNSEC_PERF_HARDEN
|
|
||||||
+ bool "Disable unprivileged PERF_EVENTS usage by default"
|
|
||||||
+ depends on PERF_EVENTS
|
|
||||||
+ help
|
|
||||||
+ If you say Y here, the range of acceptable values for the
|
|
||||||
+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
|
|
||||||
+ default to a new value: 3. When the sysctl is set to this value, no
|
|
||||||
+ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
|
|
||||||
+
|
|
||||||
+ Though PERF_EVENTS can be used legitimately for performance monitoring
|
|
||||||
+ and low-level application profiling, it is forced on regardless of
|
|
||||||
+ configuration, has been at fault for several vulnerabilities, and
|
|
||||||
+ creates new opportunities for side channels and other information leaks.
|
|
||||||
+
|
|
||||||
+ This feature puts PERF_EVENTS into a secure default state and permits
|
|
||||||
+ the administrator to change out of it temporarily if unprivileged
|
|
||||||
+ application profiling is needed.
|
|
||||||
+
|
|
75
debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
vendored
Normal file
75
debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
vendored
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Mon, 11 Jan 2016 15:23:55 +0000
|
||||||
|
Subject: security,perf: Allow further restriction of perf_event_open
|
||||||
|
Forwarded: https://lkml.org/lkml/2016/1/11/587
|
||||||
|
|
||||||
|
When kernel.perf_event_open is set to 3 (or greater), disallow all
|
||||||
|
access to performance events by users without CAP_SYS_ADMIN.
|
||||||
|
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
|
||||||
|
makes this value the default.
|
||||||
|
|
||||||
|
This is based on a similar feature in grsecurity
|
||||||
|
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
|
||||||
|
the variable read-only. It also allows enabling further restriction
|
||||||
|
at run-time regardless of whether the default is changed.
|
||||||
|
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
--- a/include/linux/perf_event.h
|
||||||
|
+++ b/include/linux/perf_event.h
|
||||||
|
@@ -1145,6 +1145,11 @@ extern int perf_cpu_time_max_percent_han
|
||||||
|
int perf_event_max_stack_handler(struct ctl_table *table, int write,
|
||||||
|
void __user *buffer, size_t *lenp, loff_t *ppos);
|
||||||
|
|
||||||
|
+static inline bool perf_paranoid_any(void)
|
||||||
|
+{
|
||||||
|
+ return sysctl_perf_event_paranoid > 2;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static inline bool perf_paranoid_tracepoint_raw(void)
|
||||||
|
{
|
||||||
|
return sysctl_perf_event_paranoid > -1;
|
||||||
|
--- a/kernel/events/core.c
|
||||||
|
+++ b/kernel/events/core.c
|
||||||
|
@@ -389,8 +389,13 @@ static struct srcu_struct pmus_srcu;
|
||||||
|
* 0 - disallow raw tracepoint access for unpriv
|
||||||
|
* 1 - disallow cpu events for unpriv
|
||||||
|
* 2 - disallow kernel profiling for unpriv
|
||||||
|
+ * 3 - disallow all unpriv perf event use
|
||||||
|
*/
|
||||||
|
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
|
||||||
|
+int sysctl_perf_event_paranoid __read_mostly = 3;
|
||||||
|
+#else
|
||||||
|
int sysctl_perf_event_paranoid __read_mostly = 2;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* Minimum for 512 kiB + 1 user control page */
|
||||||
|
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
|
||||||
|
@@ -9395,6 +9400,9 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||||
|
if (flags & ~PERF_FLAG_ALL)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
|
||||||
|
+ return -EACCES;
|
||||||
|
+
|
||||||
|
err = perf_copy_attr(attr_uptr, &attr);
|
||||||
|
if (err)
|
||||||
|
return err;
|
||||||
|
--- a/security/Kconfig
|
||||||
|
+++ b/security/Kconfig
|
||||||
|
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
|
||||||
|
|
||||||
|
If you are unsure how to answer this question, answer N.
|
||||||
|
|
||||||
|
+config SECURITY_PERF_EVENTS_RESTRICT
|
||||||
|
+ bool "Restrict unprivileged use of performance events"
|
||||||
|
+ depends on PERF_EVENTS
|
||||||
|
+ help
|
||||||
|
+ If you say Y here, the kernel.perf_event_paranoid sysctl
|
||||||
|
+ will be set to 3 by default, and no unprivileged use of the
|
||||||
|
+ perf_event_open syscall will be permitted unless it is
|
||||||
|
+ changed.
|
||||||
|
+
|
||||||
|
config SECURITY
|
||||||
|
bool "Enable different security models"
|
||||||
|
depends on SYSFS
|
|
@ -35,6 +35,7 @@ debian/fs-enable-link-security-restrictions-by-default.patch
|
||||||
debian/sched-autogroup-disabled.patch
|
debian/sched-autogroup-disabled.patch
|
||||||
debian/yama-disable-by-default.patch
|
debian/yama-disable-by-default.patch
|
||||||
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
||||||
|
features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
|
||||||
|
|
||||||
# Disable autoloading/probing of various drivers by default
|
# Disable autoloading/probing of various drivers by default
|
||||||
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
|
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
|
||||||
|
@ -68,7 +69,6 @@ bugfix/all/ext4-fix-bug-838544.patch
|
||||||
features/all/grsecurity/grsecurity-kconfig.patch
|
features/all/grsecurity/grsecurity-kconfig.patch
|
||||||
# Disabled until we add code into the grsecurity/ directory
|
# Disabled until we add code into the grsecurity/ directory
|
||||||
#features/all/grsecurity/grsecurity-kbuild.patch
|
#features/all/grsecurity/grsecurity-kbuild.patch
|
||||||
features/all/grsecurity/grkernsec_perf_harden.patch
|
|
||||||
|
|
||||||
# Securelevel patchset from mjg59
|
# Securelevel patchset from mjg59
|
||||||
features/all/securelevel/add-bsd-style-securelevel-support.patch
|
features/all/securelevel/add-bsd-style-securelevel-support.patch
|
||||||
|
|
Loading…
Reference in New Issue