[2/2] security, perf: Add config option to restrict perf_event_open
diff mbox

Message ID 1469630783-32413-1-git-send-email-jeffv@google.com
State New
Headers show

Commit Message

Jeffrey Vander Stoep July 27, 2016, 2:46 p.m. UTC
When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid
sysctl will be set to 3 by default, and no unprivileged use of the
perf_event_open syscall will be permitted unless it is changed.

This new level of restriction is intended to reduce the attack
surface of the kernel. It allows for a safe default to be set on
production systems at build time while leaving a simple means for
developers to grant access.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
 Documentation/sysctl/kernel.txt | 3 ++-
 kernel/events/core.c            | 4 ++++
 security/Kconfig                | 9 +++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

Comments

Kees Cook July 27, 2016, 8:43 p.m. UTC | #1
On Wed, Jul 27, 2016 at 7:46 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid
> sysctl will be set to 3 by default, and no unprivileged use of the
> perf_event_open syscall will be permitted unless it is changed.
>
> This new level of restriction is intended to reduce the attack
> surface of the kernel. It allows for a safe default to be set on
> production systems at build time while leaving a simple means for
> developers to grant access.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  Documentation/sysctl/kernel.txt | 3 ++-
>  kernel/events/core.c            | 4 ++++
>  security/Kconfig                | 9 +++++++++
>  3 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index fac9798..52daff6 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -659,7 +659,8 @@ allowed to execute.
>  perf_event_paranoid:
>
>  Controls use of the performance events system by unprivileged
> -users (without CAP_SYS_ADMIN).  The default value is 2.
> +users (without CAP_SYS_ADMIN).  The default value is 3 if
> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.
>
>   -1: Allow use of (almost) all events by all users
>  >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 52bd100..df9df87 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
>   *   2 - disallow kernel profiling for unpriv
>   *   3 - disallow all unpriv perf event use
>   */
> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
> +int sysctl_perf_event_paranoid __read_mostly = 3;
> +#else
>  int sysctl_perf_event_paranoid __read_mostly = 2;
> +#endif
>
>  /* Minimum for 512 kiB + 1 user control page */
>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
> diff --git a/security/Kconfig b/security/Kconfig
> index df28f2b..2a93551 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>
>           If you are unsure how to answer this question, answer N.
>
> +config SECURITY_PERF_EVENTS_RESTRICT
> +       bool "Restrict unprivileged use of performance events"
> +       depends on PERF_EVENTS
> +       help
> +         If you say Y here, the kernel.perf_event_paranoid sysctl
> +         will be set to 3 by default, and no unprivileged use of the
> +         perf_event_open syscall will be permitted unless it is
> +         changed.
> +
>  config SECURITY
>         bool "Enable different security models"
>         depends on SYSFS
> --
> 2.8.0.rc3.226.g39d4020
>
Peter Zijlstra Aug. 2, 2016, 9:55 a.m. UTC | #2
On Wed, Jul 27, 2016 at 07:46:23AM -0700, Jeff Vander Stoep wrote:
> +++ b/kernel/events/core.c
> @@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
>   *   2 - disallow kernel profiling for unpriv
>   *   3 - disallow all unpriv perf event use
>   */
> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
> +int sysctl_perf_event_paranoid __read_mostly = 3;
> +#else
>  int sysctl_perf_event_paranoid __read_mostly = 2;
> +#endif
>  
>  /* Minimum for 512 kiB + 1 user control page */
>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
> diff --git a/security/Kconfig b/security/Kconfig
> index df28f2b..2a93551 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>  
>  	  If you are unsure how to answer this question, answer N.
>  
> +config SECURITY_PERF_EVENTS_RESTRICT
> +	bool "Restrict unprivileged use of performance events"
> +	depends on PERF_EVENTS
> +	help
> +	  If you say Y here, the kernel.perf_event_paranoid sysctl
> +	  will be set to 3 by default, and no unprivileged use of the
> +	  perf_event_open syscall will be permitted unless it is
> +	  changed.

NAK.

Apart from the fact that I hate the 3 thing this is not how you do
default CONFIG knobs for !bool state variables.

Use an "int" config not a "bool" config and allow all options to be
default.
Kees Cook Aug. 2, 2016, 3:19 p.m. UTC | #3
On Tue, Aug 2, 2016 at 2:55 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> On Wed, Jul 27, 2016 at 07:46:23AM -0700, Jeff Vander Stoep wrote:
>> +++ b/kernel/events/core.c
>> @@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
>>   *   2 - disallow kernel profiling for unpriv
>>   *   3 - disallow all unpriv perf event use
>>   */
>> +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>> +int sysctl_perf_event_paranoid __read_mostly = 3;
>> +#else
>>  int sysctl_perf_event_paranoid __read_mostly = 2;
>> +#endif
>>
>>  /* Minimum for 512 kiB + 1 user control page */
>>  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
>> diff --git a/security/Kconfig b/security/Kconfig
>> index df28f2b..2a93551 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
>>
>>         If you are unsure how to answer this question, answer N.
>>
>> +config SECURITY_PERF_EVENTS_RESTRICT
>> +     bool "Restrict unprivileged use of performance events"
>> +     depends on PERF_EVENTS
>> +     help
>> +       If you say Y here, the kernel.perf_event_paranoid sysctl
>> +       will be set to 3 by default, and no unprivileged use of the
>> +       perf_event_open syscall will be permitted unless it is
>> +       changed.
>
> NAK.
>
> Apart from the fact that I hate the 3 thing this is not how you do
> default CONFIG knobs for !bool state variables.
>
> Use an "int" config not a "bool" config and allow all options to be
> default.

How about leaving off 2/2 and just keeping 1/2 of this series?

-Kees

Patch
diff mbox

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index fac9798..52daff6 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -659,7 +659,8 @@  allowed to execute.
 perf_event_paranoid:
 
 Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN).  The default value is 2.
+users (without CAP_SYS_ADMIN).  The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.
 
  -1: Allow use of (almost) all events by all users
 >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 52bd100..df9df87 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -355,7 +355,11 @@  static struct srcu_struct pmus_srcu;
  *   2 - disallow kernel profiling for unpriv
  *   3 - disallow all unpriv perf event use
  */
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
 int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
 
 /* Minimum for 512 kiB + 1 user control page */
 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
diff --git a/security/Kconfig b/security/Kconfig
index df28f2b..2a93551 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@  config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_PERF_EVENTS_RESTRICT
+	bool "Restrict unprivileged use of performance events"
+	depends on PERF_EVENTS
+	help
+	  If you say Y here, the kernel.perf_event_paranoid sysctl
+	  will be set to 3 by default, and no unprivileged use of the
+	  perf_event_open syscall will be permitted unless it is
+	  changed.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS