[linux] 01/02: security, perf: Replace GRKERNSEC_PERF_HARDEN patch with the version submitted upstream

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Oct 5 21:28:02 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 6573a2a7c7748e81329c494fc89a373d24f0ef00
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Oct 5 22:23:08 2016 +0100

    security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version submitted upstream
    
    This hasn't been *accepted* upstream, but maybe some day?  It has gone
    into AOSP.
---
 debian/changelog                                   |  2 +
 debian/config/config                               |  6 +-
 .../all/grsecurity/grkernsec_perf_harden.patch     | 76 ----------------------
 ...ow-further-restriction-of-perf_event_open.patch | 75 +++++++++++++++++++++
 debian/patches/series                              |  2 +-
 5 files changed, 79 insertions(+), 82 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index e1c60a4..54ee55a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ linux (4.8-1~exp1) UNRELEASED; urgency=medium
   * [mips*] Enable RANDOMIZE_BASE
   * Enable SLAB_FREELIST_RANDOM
   * [arm*,powerpc*,s390x,sparc64,x86] Enable HARDENED_USERCOPY
+  * security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version
+    submitted upstream
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 01 Oct 2016 21:51:33 +0100
 
diff --git a/debian/config/config b/debian/config/config
index 21a8a5d..14036b4 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -5460,11 +5460,6 @@ CONFIG_XFS_RT=y
 # CONFIG_XFS_DEBUG is not set
 
 ##
-## file: grsecurity/Kconfig
-##
-CONFIG_GRKERNSEC_PERF_HARDEN=y
-
-##
 ## file: init/Kconfig
 ##
 CONFIG_CROSS_COMPILE=""
@@ -6649,6 +6644,7 @@ CONFIG_NET_KEY_MIGRATE=y
 ## file: security/Kconfig
 ##
 CONFIG_GRKERNSEC=y
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
diff --git a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch b/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch
deleted file mode 100644
index 110d2d4..0000000
--- a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Subject: grsecurity: GRKERNSEC_PERF_HARDEN
-Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
-
-The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity.  Adds the
-option to disable perf_event_open() entirely for unprivileged users.
-This standalone version doesn't include making the variable read-only
-(or renaming it).
-
----
---- a/include/linux/perf_event.h
-+++ b/include/linux/perf_event.h
-@@ -1122,6 +1122,11 @@ extern int perf_cpu_time_max_percent_han
- int perf_event_max_stack_handler(struct ctl_table *table, int write,
- 				 void __user *buffer, size_t *lenp, loff_t *ppos);
- 
-+static inline bool perf_paranoid_any(void)
-+{
-+	return sysctl_perf_event_paranoid > 2;
-+}
-+
- static inline bool perf_paranoid_tracepoint_raw(void)
- {
- 	return sysctl_perf_event_paranoid > -1;
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -352,8 +352,13 @@ static struct srcu_struct pmus_srcu;
-  *   0 - disallow raw tracepoint access for unpriv
-  *   1 - disallow cpu events for unpriv
-  *   2 - disallow kernel profiling for unpriv
-+ *   3 - disallow all unpriv perf event use
-  */
-+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
-+int sysctl_perf_event_paranoid __read_mostly = 3;
-+#else
- int sysctl_perf_event_paranoid __read_mostly = 2;
-+#endif
- 
- /* Minimum for 512 kiB + 1 user control page */
- int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -9181,6 +9186,11 @@ SYSCALL_DEFINE5(perf_event_open,
- 	if (flags & ~PERF_FLAG_ALL)
- 		return -EINVAL;
- 
-+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
-+	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
-+		return -EACCES;
-+#endif
-+
- 	err = perf_copy_attr(attr_uptr, &attr);
- 	if (err)
- 		return err;
---- a/grsecurity/Kconfig
-+++ b/grsecurity/Kconfig
-@@ -1,3 +1,21 @@
- #
- # grecurity configuration
- #
-+config GRKERNSEC_PERF_HARDEN
-+	bool "Disable unprivileged PERF_EVENTS usage by default"
-+	depends on PERF_EVENTS
-+	help
-+	  If you say Y here, the range of acceptable values for the
-+	  /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
-+	  default to a new value: 3.  When the sysctl is set to this value, no
-+	  unprivileged use of the PERF_EVENTS syscall interface will be permitted.
-+
-+	  Though PERF_EVENTS can be used legitimately for performance monitoring
-+	  and low-level application profiling, it is forced on regardless of
-+	  configuration, has been at fault for several vulnerabilities, and
-+	  creates new opportunities for side channels and other information leaks.
-+
-+	  This feature puts PERF_EVENTS into a secure default state and permits
-+	  the administrator to change out of it temporarily if unprivileged
-+	  application profiling is needed.
-+
diff --git a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
new file mode 100644
index 0000000..6acd429
--- /dev/null
+++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
@@ -0,0 +1,75 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 11 Jan 2016 15:23:55 +0000
+Subject: security,perf: Allow further restriction of perf_event_open
+Forwarded: https://lkml.org/lkml/2016/1/11/587
+
+When kernel.perf_event_open is set to 3 (or greater), disallow all
+access to performance events by users without CAP_SYS_ADMIN.
+Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
+makes this value the default.
+
+This is based on a similar feature in grsecurity
+(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
+the variable read-only.  It also allows enabling further restriction
+at run-time regardless of whether the default is changed.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -1145,6 +1145,11 @@ extern int perf_cpu_time_max_percent_han
+ int perf_event_max_stack_handler(struct ctl_table *table, int write,
+ 				 void __user *buffer, size_t *lenp, loff_t *ppos);
+ 
++static inline bool perf_paranoid_any(void)
++{
++	return sysctl_perf_event_paranoid > 2;
++}
++
+ static inline bool perf_paranoid_tracepoint_raw(void)
+ {
+ 	return sysctl_perf_event_paranoid > -1;
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -389,8 +389,13 @@ static struct srcu_struct pmus_srcu;
+  *   0 - disallow raw tracepoint access for unpriv
+  *   1 - disallow cpu events for unpriv
+  *   2 - disallow kernel profiling for unpriv
++ *   3 - disallow all unpriv perf event use
+  */
++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
++int sysctl_perf_event_paranoid __read_mostly = 3;
++#else
+ int sysctl_perf_event_paranoid __read_mostly = 2;
++#endif
+ 
+ /* Minimum for 512 kiB + 1 user control page */
+ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
+@@ -9395,6 +9400,9 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	if (flags & ~PERF_FLAG_ALL)
+ 		return -EINVAL;
+ 
++	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++		return -EACCES;
++
+ 	err = perf_copy_attr(attr_uptr, &attr);
+ 	if (err)
+ 		return err;
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
+ 
+ 	  If you are unsure how to answer this question, answer N.
+ 
++config SECURITY_PERF_EVENTS_RESTRICT
++	bool "Restrict unprivileged use of performance events"
++	depends on PERF_EVENTS
++	help
++	  If you say Y here, the kernel.perf_event_paranoid sysctl
++	  will be set to 3 by default, and no unprivileged use of the
++	  perf_event_open syscall will be permitted unless it is
++	  changed.
++
+ config SECURITY
+ 	bool "Enable different security models"
+ 	depends on SYSFS
diff --git a/debian/patches/series b/debian/patches/series
index 5b5ea1e..ce01a51 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -35,6 +35,7 @@ debian/fs-enable-link-security-restrictions-by-default.patch
 debian/sched-autogroup-disabled.patch
 debian/yama-disable-by-default.patch
 debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
 
 # Disable autoloading/probing of various drivers by default
 debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
@@ -68,7 +69,6 @@ bugfix/all/ext4-fix-bug-838544.patch
 features/all/grsecurity/grsecurity-kconfig.patch
 # Disabled until we add code into the grsecurity/ directory
 #features/all/grsecurity/grsecurity-kbuild.patch
-features/all/grsecurity/grkernsec_perf_harden.patch
 
 # Securelevel patchset from mjg59
 features/all/securelevel/add-bsd-style-securelevel-support.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list