diff --git a/debian/changelog b/debian/changelog index 37076259e..bf37a2374 100644 --- a/debian/changelog +++ b/debian/changelog @@ -32,6 +32,9 @@ linux (4.1.3-1) UNRELEASED; urgency=medium * [x86] block: Enable BLK_DEV_PMEM as module; enable X86_PMEM_LEGACY * [x86] tpm: Enable TCG_CRB as module * debug: Enable DEBUG_LIST + * security: Apply and enable GRKERNSEC_PERF_HARDEN feature from Grsecurity, + disabling use of perf_event_open() by unprivileged users by default + (sysctl: kernel.perf_event_paranoid) [ Ian Campbell ] * [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin. diff --git a/debian/config/config b/debian/config/config index 14a9c2e5c..77bdda83f 100644 --- a/debian/config/config +++ b/debian/config/config @@ -5141,6 +5141,11 @@ CONFIG_XFS_RT=y # CONFIG_XFS_WARN is not set # CONFIG_XFS_DEBUG is not set +## +## file: grsecurity/Kconfig +## +CONFIG_GRKERNSEC_PERF_HARDEN=y + ## ## file: init/Kconfig ## @@ -6279,6 +6284,7 @@ CONFIG_NET_KEY_MIGRATE=y ## ## file: security/Kconfig ## +CONFIG_GRKERNSEC=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y diff --git a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch b/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch new file mode 100644 index 000000000..6b1622ac4 --- /dev/null +++ b/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch @@ -0,0 +1,76 @@ +From: Ben Hutchings +Subject: grsecurity: GRKERNSEC_PERF_HARDEN +Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch + +The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the +option to disable perf_event_open() entirely for unprivileged users. +This standalone version doesn't include making the variable read-only +(or renaming it). + +--- +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -851,6 +851,11 @@ extern int perf_cpu_time_max_percent_han + loff_t *ppos); + + ++static inline bool perf_paranoid_any(void) ++{ ++ return sysctl_perf_event_paranoid > 2; ++} ++ + static inline bool perf_paranoid_tracepoint_raw(void) + { + return sysctl_perf_event_paranoid > -1; +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -172,8 +172,13 @@ static struct srcu_struct pmus_srcu; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 1; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -7892,6 +7897,11 @@ SYSCALL_DEFINE5(perf_event_open, + if (flags & ~PERF_FLAG_ALL) + return -EINVAL; + ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN ++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++#endif ++ + err = perf_copy_attr(attr_uptr, &attr); + if (err) + return err; +--- a/grsecurity/Kconfig ++++ b/grsecurity/Kconfig +@@ -1,3 +1,21 @@ + # + # grecurity configuration + # ++config GRKERNSEC_PERF_HARDEN ++ bool "Disable unprivileged PERF_EVENTS usage by default" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the range of acceptable values for the ++ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and ++ default to a new value: 3. When the sysctl is set to this value, no ++ unprivileged use of the PERF_EVENTS syscall interface will be permitted. ++ ++ Though PERF_EVENTS can be used legitimately for performance monitoring ++ and low-level application profiling, it is forced on regardless of ++ configuration, has been at fault for several vulnerabilities, and ++ creates new opportunities for side channels and other information leaks. ++ ++ This feature puts PERF_EVENTS into a secure default state and permits ++ the administrator to change out of it temporarily if unprivileged ++ application profiling is needed. ++ diff --git a/debian/patches/features/all/grsecurity/grsecurity-kbuild.patch b/debian/patches/features/all/grsecurity/grsecurity-kbuild.patch new file mode 100644 index 000000000..81fcf2dcb --- /dev/null +++ b/debian/patches/features/all/grsecurity/grsecurity-kbuild.patch @@ -0,0 +1,42 @@ +From: Ben Hutchings +Subject: grsecurity: Kbuild integration +Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch + +Kbuild integration changes extracted from Grsecurity. + +Subsequent patches will add to the empty Makefile. + +--- a/Makefile ++++ b/Makefile +@@ -887,7 +887,7 @@ export mod_sign_cmd + + + ifeq ($(KBUILD_EXTMOD),) +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ + + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ +--- /dev/null ++++ b/grsecurity/Makefile +@@ -0,0 +1,20 @@ ++# grsecurity – access control and security hardening for Linux ++# All code in this directory and various hooks located throughout the Linux kernel are ++# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. ++# http://www.grsecurity.net spender@grsecurity.net ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License version 2 ++# as published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++KBUILD_CFLAGS += -Werror ++ diff --git a/debian/patches/features/all/grsecurity/grsecurity-kconfig.patch b/debian/patches/features/all/grsecurity/grsecurity-kconfig.patch new file mode 100644 index 000000000..121128403 --- /dev/null +++ b/debian/patches/features/all/grsecurity/grsecurity-kconfig.patch @@ -0,0 +1,47 @@ +From: Ben Hutchings +Subject: grsecurity: Kconfig integration +Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch + +Kconfig integration changes extracted from Grsecurity, with help +strings changed to make it clear that is not the real thing. + +Subsequent patches will add to the empty menu. + +--- +--- /dev/null ++++ b/grsecurity/Kconfig +@@ -0,0 +1,3 @@ ++# ++# grecurity configuration ++# +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -4,6 +4,28 @@ + + menu "Security options" + ++menu "Hardening features (from Grsecurity)" ++ ++config GRKERNSEC ++ bool "Hardening features (from Grsecurity)" ++ select DEBUG_KERNEL ++ select DEBUG_LIST ++ help ++ If you say Y here, you will be able to configure many features ++ that will enhance the security of your system. It is highly ++ recommended that you say Y here and read through the help ++ for each option so that you fully understand the features and ++ can evaluate their usefulness for your machine. ++ ++menu "Customize Configuration" ++depends on GRKERNSEC ++ ++source grsecurity/Kconfig ++ ++endmenu ++ ++endmenu ++ + source security/keys/Kconfig + + config SECURITY_DMESG_RESTRICT diff --git a/debian/patches/series b/debian/patches/series index 41bb2dfaa..c5e94517f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -90,3 +90,9 @@ bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch + +# Hardening from grsecurity +features/all/grsecurity/grsecurity-kconfig.patch +# Disabled until we add code into the grsecurity/ directory +#features/all/grsecurity/grsecurity-kbuild.patch +features/all/grsecurity/grkernsec_perf_harden.patch