Merge "FROMLIST: security,perf: Allow further restriction of perf_event_open" · b7d007f82e - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

Merge "FROMLIST: security,perf: Allow further restriction of perf_event_open"

This commit is contained in:

Linux Build Service Account

2016-09-19 23:27:58 -07:00

• committed by

Gerrit - the friendly Code Review server

parent f6ee052d80 1a565f59cb

commit b7d007f82e

4 changed files with 23 additions and 1 deletions

4

Documentation/sysctl/kernel.txt

View file

 @ -653,12 +653,14 @@ the existing panic controls already in that directory.
 perf_event_paranoid:
 Controls use of the performance events system by unprivileged
 users (without CAP_SYS_ADMIN).  The default value is 1.
 users (without CAP_SYS_ADMIN).  The default value is 3 if
 CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 1 otherwise.
  -1: Allow use of (almost) all events by all users
 >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
 >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
 >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
 >=3: Disallow all event access by users without CAP_SYS_ADMIN
 ==============================================================

									
										5

include/linux/perf_event.h
									
										View file
										
				@ -992,6 +992,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,

						loff_t *ppos);

				static inline bool perf_paranoid_any(void)

				{

					return sysctl_perf_event_paranoid > 2;

				}

				static inline bool perf_paranoid_tracepoint_raw(void)

				{

					return sysctl_perf_event_paranoid > -1;

									
										6

kernel/events/core.c
									
										View file
										
				@ -176,9 +176,12 @@ static struct srcu_struct pmus_srcu;

				 *   0 - disallow raw tracepoint access for unpriv

				 *   1 - disallow cpu events for unpriv

				 *   2 - disallow kernel profiling for unpriv

				 *   3 - disallow all unpriv perf event use

				 */

				#ifdef CONFIG_PERF_EVENTS_USERMODE

				int sysctl_perf_event_paranoid __read_mostly = -1;

				#elif defined CONFIG_SECURITY_PERF_EVENTS_RESTRICT

				int sysctl_perf_event_paranoid __read_mostly = 3;

				#else

				int sysctl_perf_event_paranoid __read_mostly = 1;

				#endif

				@ -8325,6 +8328,9 @@ SYSCALL_DEFINE5(perf_event_open,

					if (flags & ~PERF_FLAG_ALL)

						return -EINVAL;

					if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))

						return -EACCES;

					err = perf_copy_attr(attr_uptr, &attr);

					if (err)

						return err;

9

security/Kconfig

View file

 @ -23,6 +23,15 @@ config SECURITY_DMESG_RESTRICT
 	  If you are unsure how to answer this question, answer N.
 config SECURITY_PERF_EVENTS_RESTRICT
 	bool "Restrict unprivileged use of performance events"
 	depends on PERF_EVENTS
 	help
 	  If you say Y here, the kernel.perf_event_paranoid sysctl
 	  will be set to 3 by default, and no unprivileged use of the
 	  perf_event_open syscall will be permitted unless it is
 	  changed.
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS