On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > > Hi guys, > > > > This patch wasn't originally CCed to you (I'm fixing that now). > > Would > > you consider taking this into the perf tree? > > No. > > > It's been in active use > > in both Debian and Android for a while now. > > Very nice of you all to finally inform us I suppose :/ It was in Debian a lot longer than Android, although the Android feature came from a downstream variant where it was done much earlier: https://android-review.googlesource.com/#/c/233736/ > > > > > > > > > > access to performance events by users without CAP_SYS_ADMIN. > > > > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > > > > > makes this value the default. > > > > > > > > > > This is based on a similar feature in grsecurity > > > > > (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include > > > > > making > > > > > the variable read-only. It also allows enabling further > > > > > restriction > > > > > at run-time regardless of whether the default is changed. > > This Changelog is completely devoid of information. _WHY_ are you > doing > this? Attack surface reduction. It's possible to use seccomp-bpf for some limited cases, but it's not flexible enough. There are lots of information leaks and local privilege escalation vulnerabilities via perf events, yet on most Linux installs it's not ever being used. So turning it off by default on those installs is an easy win. The holes are reduced to root -> kernel (and that's not a meaningful boundary in mainline right now - although as is the case here, Debian has a bunch of securelevel patches for that).
Attachment:
signature.asc
Description: This is a digitally signed message part
