security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version submitted upstream

This hasn't been *accepted* upstream, but maybe some day? It has gone into AOSP.
2016-10-05 22:23:08 +01:00 · 2016-10-05 22:23:08 +01:00 · 6573a2a7c7
parent 357c2335a5
commit 6573a2a7c7
5 changed files with 79 additions and 82 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -13,6 +13,8 @@ linux (4.8-1~exp1) UNRELEASED; urgency=medium
  * [mips*] Enable RANDOMIZE_BASE
  * Enable SLAB_FREELIST_RANDOM
  * [arm*,powerpc*,s390x,sparc64,x86] Enable HARDENED_USERCOPY
+  * security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version
+    submitted upstream

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 01 Oct 2016 21:51:33 +0100

--- a/debian/config/config
+++ b/debian/config/config
@ -5459,11 +5459,6 @@ CONFIG_XFS_RT=y
 # CONFIG_XFS_WARN is not set
 # CONFIG_XFS_DEBUG is not set

-##
-## file: grsecurity/Kconfig
-##
-CONFIG_GRKERNSEC_PERF_HARDEN=y
-
 ##
 ## file: init/Kconfig
 ##
@ -6649,6 +6644,7 @@ CONFIG_NET_KEY_MIGRATE=y
 ## file: security/Kconfig
 ##
 CONFIG_GRKERNSEC=y
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
--- a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch
+++ b/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch
@ -1,76 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Subject: grsecurity: GRKERNSEC_PERF_HARDEN
-Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch
-
-The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity.  Adds the
-option to disable perf_event_open() entirely for unprivileged users.
-This standalone version doesn't include making the variable read-only
-(or renaming it).
-
---
--- a/include/linux/perf_event.h
-+++ b/include/linux/perf_event.h
-@@ -1122,6 +1122,11 @@ extern int perf_cpu_time_max_percent_han
- int perf_event_max_stack_handler(struct ctl_table *table, int write,
- 				 void __user *buffer, size_t *lenp, loff_t *ppos);
- 
-+static inline bool perf_paranoid_any(void)
-+{
-+	return sysctl_perf_event_paranoid > 2;
-+}
-+
- static inline bool perf_paranoid_tracepoint_raw(void)
- {
- 	return sysctl_perf_event_paranoid > -1;
--- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -352,8 +352,13 @@ static struct srcu_struct pmus_srcu;
-  *   0 - disallow raw tracepoint access for unpriv
-  *   1 - disallow cpu events for unpriv
-  *   2 - disallow kernel profiling for unpriv
-+ *   3 - disallow all unpriv perf event use
-  */
-+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
-+int sysctl_perf_event_paranoid __read_mostly = 3;
-+#else
- int sysctl_perf_event_paranoid __read_mostly = 2;
-+#endif
- 
- /* Minimum for 512 kiB + 1 user control page */
- int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -9181,6 +9186,11 @@ SYSCALL_DEFINE5(perf_event_open,
- 	if (flags & ~PERF_FLAG_ALL)
- 		return -EINVAL;
- 
-+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
-+	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
-+		return -EACCES;
-+#endif
-+
- 	err = perf_copy_attr(attr_uptr, &attr);
- 	if (err)
- 		return err;
--- a/grsecurity/Kconfig
-+++ b/grsecurity/Kconfig
-@@ -1,3 +1,21 @@
- #
- # grecurity configuration
- #
-+config GRKERNSEC_PERF_HARDEN
-+	bool "Disable unprivileged PERF_EVENTS usage by default"
-+	depends on PERF_EVENTS
-+	help
-+	  If you say Y here, the range of acceptable values for the
-+	  /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
-+	  default to a new value: 3.  When the sysctl is set to this value, no
-+	  unprivileged use of the PERF_EVENTS syscall interface will be permitted.
-+
-+	  Though PERF_EVENTS can be used legitimately for performance monitoring
-+	  and low-level application profiling, it is forced on regardless of
-+	  configuration, has been at fault for several vulnerabilities, and
-+	  creates new opportunities for side channels and other information leaks.
-+
-+	  This feature puts PERF_EVENTS into a secure default state and permits
-+	  the administrator to change out of it temporarily if unprivileged
-+	  application profiling is needed.
-+
--- a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
+++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
@ -0,0 +1,75 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 11 Jan 2016 15:23:55 +0000
+Subject: security,perf: Allow further restriction of perf_event_open
+Forwarded: https://lkml.org/lkml/2016/1/11/587
+
+When kernel.perf_event_open is set to 3 (or greater), disallow all
+access to performance events by users without CAP_SYS_ADMIN.
+Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
+makes this value the default.
+
+This is based on a similar feature in grsecurity
+(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
+the variable read-only.  It also allows enabling further restriction
+at run-time regardless of whether the default is changed.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
+@@ -1145,6 +1145,11 @@ extern int perf_cpu_time_max_percent_han
+ int perf_event_max_stack_handler(struct ctl_table *table, int write,
+ 				 void __user *buffer, size_t *lenp, loff_t *ppos);
+ 
+static inline bool perf_paranoid_any(void)
+{
+	return sysctl_perf_event_paranoid > 2;
+}
+
+ static inline bool perf_paranoid_tracepoint_raw(void)
+ {
+ 	return sysctl_perf_event_paranoid > -1;
+--- a/kernel/events/core.c
+++ b/kernel/events/core.c
+@@ -389,8 +389,13 @@ static struct srcu_struct pmus_srcu;
+  *   0 - disallow raw tracepoint access for unpriv
+  *   1 - disallow cpu events for unpriv
+  *   2 - disallow kernel profiling for unpriv
+ *   3 - disallow all unpriv perf event use
+  */
+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
+int sysctl_perf_event_paranoid __read_mostly = 3;
+#else
+ int sysctl_perf_event_paranoid __read_mostly = 2;
+#endif
+ 
+ /* Minimum for 512 kiB + 1 user control page */
+ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
+@@ -9395,6 +9400,9 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	if (flags & ~PERF_FLAG_ALL)
+ 		return -EINVAL;
+ 
+	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
+ 	err = perf_copy_attr(attr_uptr, &attr);
+ 	if (err)
+ 		return err;
+--- a/security/Kconfig
+++ b/security/Kconfig
+@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
+ 
+ 	  If you are unsure how to answer this question, answer N.
+ 
+config SECURITY_PERF_EVENTS_RESTRICT
+	bool "Restrict unprivileged use of performance events"
+	depends on PERF_EVENTS
+	help
+	  If you say Y here, the kernel.perf_event_paranoid sysctl
+	  will be set to 3 by default, and no unprivileged use of the
+	  perf_event_open syscall will be permitted unless it is
+	  changed.
+
+ config SECURITY
+ 	bool "Enable different security models"
+ 	depends on SYSFS
--- a/debian/patches/series
+++ b/debian/patches/series
@ -35,6 +35,7 @@ debian/fs-enable-link-security-restrictions-by-default.patch
 debian/sched-autogroup-disabled.patch
 debian/yama-disable-by-default.patch
 debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

 # Disable autoloading/probing of various drivers by default
 debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
@ -68,7 +69,6 @@ bugfix/all/ext4-fix-bug-838544.patch
 features/all/grsecurity/grsecurity-kconfig.patch
 # Disabled until we add code into the grsecurity/ directory
 #features/all/grsecurity/grsecurity-kbuild.patch
-features/all/grsecurity/grkernsec_perf_harden.patch

 # Securelevel patchset from mjg59
 features/all/securelevel/add-bsd-style-securelevel-support.patch