diff --git a/debian/changelog b/debian/changelog index e1c60a403..54ee55ab7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,8 @@ linux (4.8-1~exp1) UNRELEASED; urgency=medium * [mips*] Enable RANDOMIZE_BASE * Enable SLAB_FREELIST_RANDOM * [arm*,powerpc*,s390x,sparc64,x86] Enable HARDENED_USERCOPY + * security,perf: Replace GRKERNSEC_PERF_HARDEN patch with the version + submitted upstream -- Ben Hutchings Sat, 01 Oct 2016 21:51:33 +0100 diff --git a/debian/config/config b/debian/config/config index 21a8a5d9e..14036b421 100644 --- a/debian/config/config +++ b/debian/config/config @@ -5459,11 +5459,6 @@ CONFIG_XFS_RT=y # CONFIG_XFS_WARN is not set # CONFIG_XFS_DEBUG is not set -## -## file: grsecurity/Kconfig -## -CONFIG_GRKERNSEC_PERF_HARDEN=y - ## ## file: init/Kconfig ## @@ -6649,6 +6644,7 @@ CONFIG_NET_KEY_MIGRATE=y ## file: security/Kconfig ## CONFIG_GRKERNSEC=y +CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y diff --git a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch b/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch deleted file mode 100644 index 110d2d422..000000000 --- a/debian/patches/features/all/grsecurity/grkernsec_perf_harden.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Ben Hutchings -Subject: grsecurity: GRKERNSEC_PERF_HARDEN -Origin: https://grsecurity.net/test/grsecurity-3.1-4.1.3-201507261932.patch - -The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity. Adds the -option to disable perf_event_open() entirely for unprivileged users. -This standalone version doesn't include making the variable read-only -(or renaming it). - ---- ---- a/include/linux/perf_event.h -+++ b/include/linux/perf_event.h -@@ -1122,6 +1122,11 @@ extern int perf_cpu_time_max_percent_han - int perf_event_max_stack_handler(struct ctl_table *table, int write, - void __user *buffer, size_t *lenp, loff_t *ppos); - -+static inline bool perf_paranoid_any(void) -+{ -+ return sysctl_perf_event_paranoid > 2; -+} -+ - static inline bool perf_paranoid_tracepoint_raw(void) - { - return sysctl_perf_event_paranoid > -1; ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -352,8 +352,13 @@ static struct srcu_struct pmus_srcu; - * 0 - disallow raw tracepoint access for unpriv - * 1 - disallow cpu events for unpriv - * 2 - disallow kernel profiling for unpriv -+ * 3 - disallow all unpriv perf event use - */ -+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN -+int sysctl_perf_event_paranoid __read_mostly = 3; -+#else - int sysctl_perf_event_paranoid __read_mostly = 2; -+#endif - - /* Minimum for 512 kiB + 1 user control page */ - int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ -@@ -9181,6 +9186,11 @@ SYSCALL_DEFINE5(perf_event_open, - if (flags & ~PERF_FLAG_ALL) - return -EINVAL; - -+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN -+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) -+ return -EACCES; -+#endif -+ - err = perf_copy_attr(attr_uptr, &attr); - if (err) - return err; ---- a/grsecurity/Kconfig -+++ b/grsecurity/Kconfig -@@ -1,3 +1,21 @@ - # - # grecurity configuration - # -+config GRKERNSEC_PERF_HARDEN -+ bool "Disable unprivileged PERF_EVENTS usage by default" -+ depends on PERF_EVENTS -+ help -+ If you say Y here, the range of acceptable values for the -+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and -+ default to a new value: 3. When the sysctl is set to this value, no -+ unprivileged use of the PERF_EVENTS syscall interface will be permitted. -+ -+ Though PERF_EVENTS can be used legitimately for performance monitoring -+ and low-level application profiling, it is forced on regardless of -+ configuration, has been at fault for several vulnerabilities, and -+ creates new opportunities for side channels and other information leaks. -+ -+ This feature puts PERF_EVENTS into a secure default state and permits -+ the administrator to change out of it temporarily if unprivileged -+ application profiling is needed. -+ diff --git a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch new file mode 100644 index 000000000..6acd429db --- /dev/null +++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch @@ -0,0 +1,75 @@ +From: Ben Hutchings +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: security,perf: Allow further restriction of perf_event_open +Forwarded: https://lkml.org/lkml/2016/1/11/587 + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings +--- +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1145,6 +1145,11 @@ extern int perf_cpu_time_max_percent_han + int perf_event_max_stack_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos); + ++static inline bool perf_paranoid_any(void) ++{ ++ return sysctl_perf_event_paranoid > 2; ++} ++ + static inline bool perf_paranoid_tracepoint_raw(void) + { + return sysctl_perf_event_paranoid > -1; +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -389,8 +389,13 @@ static struct srcu_struct pmus_srcu; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -9395,6 +9400,9 @@ SYSCALL_DEFINE5(perf_event_open, + if (flags & ~PERF_FLAG_ALL) + return -EINVAL; + ++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ + err = perf_copy_attr(attr_uptr, &attr); + if (err) + return err; +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS diff --git a/debian/patches/series b/debian/patches/series index 5b5ea1e33..ce01a5154 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -35,6 +35,7 @@ debian/fs-enable-link-security-restrictions-by-default.patch debian/sched-autogroup-disabled.patch debian/yama-disable-by-default.patch debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch +features/all/security-perf-allow-further-restriction-of-perf_event_open.patch # Disable autoloading/probing of various drivers by default debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch @@ -68,7 +69,6 @@ bugfix/all/ext4-fix-bug-838544.patch features/all/grsecurity/grsecurity-kconfig.patch # Disabled until we add code into the grsecurity/ directory #features/all/grsecurity/grsecurity-kbuild.patch -features/all/grsecurity/grkernsec_perf_harden.patch # Securelevel patchset from mjg59 features/all/securelevel/add-bsd-style-securelevel-support.patch