From patchwork Wed Jul 27 14:46:23 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Vander Stoep <jeffv@google.com>
X-Patchwork-Id: 9249923
Return-Path: 
 <kernel-hardening-return-4110-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A4D1B607D8 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 14:46:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 972F826D06
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 14:46:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8BC2126D17; Wed, 27 Jul 2016 14:46:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id BAA0C26D06
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 14:46:51 +0000 (UTC)
Received: (qmail 21864 invoked by uid 550); 27 Jul 2016 14:46:50 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Reply-To: kernel-hardening@lists.openwall.com
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 21844 invoked from network); 27 Jul 2016 14:46:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=yyhv26kxeVru5zPVv2PKRX8fm/5Y9P7TH+f7drXOWrw=;
	b=FnQXcG2sN53y0tkc5PQos3cGvyUyap3SDl/m1hkhPTV+mHWVKgcRaeguy91GwIEQkH
	/DB38iM7b+sPXmjoGO/XMwR00DZOz0Xdk9NT7sWM7RQ6MFPmJf29ryfownK2Uk5rYn5+
	hmqVAwleQdAQJB29O6ORx7PByTFh7KcKTSmkS4zGrXOdkaPXMiSDUNVvREW8muan1gu4
	LgNfDQ2fLSFL9rd2OE9DPEMosROiMOYxt3oM+I2eWzsGIOdGqBtpQJM4oF/xpbpgiDZD
	fzmCp2/ORnO4MRJPzc3DYQl9j8tnZtPZaPgqL9/XtT1yvJzBF1K/aBRT7xgL3MTl2hGH
	CWkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=yyhv26kxeVru5zPVv2PKRX8fm/5Y9P7TH+f7drXOWrw=;
	b=NK8szpLN1ov6Eshe63005/FAo+buLvkUSrUSxDd+l1ssQnIIvJz70myFfBUfT2CIhz
	Js0WLGSJqc8LutqhNiTGrlBRdYrrU6AfrriyTRwXVA11FdYsTLJyzodVNT0BRXEgLXdA
	kY6hLlZS/tjM/LDuETNHG9/eJ6gfhTE+JKuwqIljFoeBIQRebvlH3HN+lzOdFZFlHAK3
	dvRKVR4AU+EDnaR15QkeEVA9EIqg6t2TJG8w1ddgSu00OmPfyAftgWpfa+IE/wzVsUW4
	oZWXh94dmyaWr+VXFqGwjCHyLKfRSsNoGYpG+vr32A0eH9esWvknXDCAb/3qkgvxaI/1
	zK0A==
X-Gm-Message-State: 
 AEkoousZVF+BHI1cZLDxrMiIWw7d/Rxfc8aV9HiRG5g2BI05bwG1r5cf+ocjXPPBvc2A4/G3
X-Received: by 10.66.177.7 with SMTP id cm7mr50380191pac.132.1469630797469;
	Wed, 27 Jul 2016 07:46:37 -0700 (PDT)
From: Jeff Vander Stoep <jeffv@google.com>
To: kernel-hardening@lists.openwall.com
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
	alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 27 Jul 2016 07:46:23 -0700
Message-Id: <1469630783-32413-1-git-send-email-jeffv@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
Subject: [kernel-hardening] [PATCH 2/2] security,
	perf: Add config option to restrict perf_event_open
X-Virus-Scanned: ClamAV using ClamSMTP

When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid
sysctl will be set to 3 by default, and no unprivileged use of the
perf_event_open syscall will be permitted unless it is changed.

This new level of restriction is intended to reduce the attack
surface of the kernel. It allows for a safe default to be set on
production systems at build time while leaving a simple means for
developers to grant access.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
 Documentation/sysctl/kernel.txt | 3 ++-
 kernel/events/core.c            | 4 ++++
 security/Kconfig                | 9 +++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index fac9798..52daff6 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -659,7 +659,8 @@ allowed to execute.
 perf_event_paranoid:
 
 Controls use of the performance events system by unprivileged
-users (without CAP_SYS_ADMIN).  The default value is 2.
+users (without CAP_SYS_ADMIN).  The default value is 3 if
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise.
 
  -1: Allow use of (almost) all events by all users
 >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 52bd100..df9df87 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu;
  *   2 - disallow kernel profiling for unpriv
  *   3 - disallow all unpriv perf event use
  */
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
 int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
 
 /* Minimum for 512 kiB + 1 user control page */
 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
diff --git a/security/Kconfig b/security/Kconfig
index df28f2b..2a93551 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_PERF_EVENTS_RESTRICT
+	bool "Restrict unprivileged use of performance events"
+	depends on PERF_EVENTS
+	help
+	  If you say Y here, the kernel.perf_event_paranoid sysctl
+	  will be set to 3 by default, and no unprivileged use of the
+	  perf_event_open syscall will be permitted unless it is
+	  changed.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS