[PATCH v2 2/4] support perf_event_paranoid=3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Debian uses a downstream patch[1] to allow further restriction of
perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2)
operations.

Set the parameter to a value of 2 during the tests and reset afterwards.

[1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
v2:
   set parameter to 2 instead of granting CAP_SYS_ADMIN
---
 tests/perf_event/test | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/tests/perf_event/test b/tests/perf_event/test
index c336477..cc1247b 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -32,12 +32,18 @@ BEGIN {
             print "\tNot paranoid\n";
         }
         elsif ( $level eq 0 ) {
-            print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n";
+            print
+"\tDisallow raw tracepoint/ftrace without CAP_PERFMON or CAP_SYS_ADMIN\n";
         }
         elsif ( $level eq 1 ) {
-            print "\tDisallow CPU event access without CAP_SYS_ADMIN\n";
+            print
+"\tDisallow CPU event access without CAP_PERFMON or CAP_SYS_ADMIN\n";
         }
         elsif ( $level eq 2 ) {
+            print
+"\tDisallow kernel profiling without CAP_PERFMON or CAP_SYS_ADMIN\n";
+        }
+        elsif ( $level eq 3 ) {
             print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n";
         }
         else {
@@ -48,6 +54,11 @@ BEGIN {
     plan tests => $test_count;
 }
 
+# Downgrade to only require CAP_PERFMON for operations
+if ( $level eq 3 ) {
+    system("echo 2 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
 # find some CPU that is online
 for ( $cpu = 0 ; -e "/sys/devices/system/cpu/cpu$cpu" ; $cpu++ ) {
 
@@ -114,4 +125,9 @@ $result =
   "runcon -t test_perf_no_write_t $basedir/perf_event $v $cpu $event_id 2>&1";
 ok( $result >> 8 eq 2 );
 
+# Reset if downgraded
+if ( $level eq 3 ) {
+    system("echo 3 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
 exit;
-- 
2.36.1




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux