From patchwork Wed Jul 27 14:45:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeffrey Vander Stoep X-Patchwork-Id: 9249919 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 72C82607D8 for ; Wed, 27 Jul 2016 14:46:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6560C26530 for ; Wed, 27 Jul 2016 14:46:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5A0C326D08; Wed, 27 Jul 2016 14:46:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 81F3C26530 for ; Wed, 27 Jul 2016 14:46:07 +0000 (UTC) Received: (qmail 20292 invoked by uid 550); 27 Jul 2016 14:46:05 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 20271 invoked from network); 27 Jul 2016 14:46:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=0gYd+2LykGoIDnzoau3B1LlFhbcPC8gfIgcUIayRutQ=; b=Xdf291Mj5LfaqBqV5FSLtytOltD9LMxduHUtYXZBlia2mUK+uU83n3N9viqlw6yuPQ sXQJbjPn9gN8Yv5OucjGWaJT/Owt3Ma3YtBtmg8Diq+uU7C2WEKWH5g7lJaq7XaCJECV nNgKy1yshE0sttaKJl9lMJ9UY1YY+RTIeLI+zk7+ZGHzf5bWNnXxCrxCF4EpUfS71Xpg 45bUdY7ciR6E03BR8jvkD0VZimpn7QWCbGe+lq4TByKPVqp9gqTZr2jgyB4XCmvxkVsz wgWZpI8TOgzXu+Ifgrx0Ty14xYlDOGwspsURVyVtX/UREmd3WM7RPTWizAt7w4z7NN7N li4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=0gYd+2LykGoIDnzoau3B1LlFhbcPC8gfIgcUIayRutQ=; b=Yi+sP0QOySKRPw3oReIdq4vydZJhFPkh/fRleL7z9s9k2eepDDoSZNON77KNUHV+1C mm8pEBWU5ZRkOCbV85CJ2lOEHTuKXkQulDidwmfPZG8PuAbQNU0d2sU/hd+DijlyQAEi WSsvfua0C8BAK33EdgKaiKGqOUzIZzq12yQEs5kLrBLHsLDFBmJutScFnfS5gqy2ht+G q+2jZS6RXit6nZAMfgdJ+Xu6Ssh0eXeiEGN6/zNUj3RjGyPzMshwsRR+aRRlOaH9lzTs rFkG9WTAlNAx1K9wToB8qPVZg5Ix618JsSCdd8NOkMyOOJI19Dktfqx7BL0I466SjRhu oZxA== X-Gm-Message-State: AEkoousTleX2m15drlEHChIsXx23If5N+aV8LgKMgo0nvs+XDnguSl1ysWqC4h4DRH1DZElp X-Received: by 10.66.245.1 with SMTP id xk1mr51030517pac.58.1469630752580; Wed, 27 Jul 2016 07:45:52 -0700 (PDT) From: Jeff Vander Stoep To: kernel-hardening@lists.openwall.com Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org, alexander.shishkin@linux.intel.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Vander Stoep Date: Wed, 27 Jul 2016 07:45:46 -0700 Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com> X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020 Subject: [kernel-hardening] [PATCH 1/2] security, perf: allow further restriction of perf_event_open X-Virus-Scanned: ClamAV using ClamSMTP When kernel.perf_event_paranoid is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. This new level of restriction is intended to reduce the attack surface of the kernel. Perf is a valuable tool for developers but is generally unnecessary and unused on production systems. Perf may open up an attack vector to vulnerable device-specific drivers as recently demonstrated in CVE-2016-0805, CVE-2016-0819, CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of restriction allows for a safe default to be set on production systems while leaving a simple means for developers to grant access [1]. This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches have been modified and split up to address on-list feedback. kernel.perf_event_paranoid=3 is the default on both Debian [2] and Android [3]. [1] Making perf available to developers on Android: https://android-review.googlesource.com/#/c/234400/ [2] Original patch by Ben Hutchings: https://lkml.org/lkml/2016/1/11/587 [3] https://android-review.googlesource.com/#/c/234743/ Signed-off-by: Jeff Vander Stoep Reviewed-by: Kees Cook --- Documentation/sysctl/kernel.txt | 1 + include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index ffab8b5..fac9798 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -665,6 +665,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN ============================================================== diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 8ed43261..1e2080f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) return sysctl_perf_event_paranoid > 1; } +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + extern void perf_event_init(void); extern void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, struct pt_regs *regs, diff --git a/kernel/events/core.c b/kernel/events/core.c index 356a6c7..52bd100 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ int sysctl_perf_event_paranoid __read_mostly = 2; @@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, &attr); if (err) return err;