-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path0004.patch
More file actions
77 lines (67 loc) · 2.52 KB
/
0004.patch
File metadata and controls
77 lines (67 loc) · 2.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
diff -rcNP og/Documentation/admin-guide/sysctl/kernel.rst patched/Documentation/admin-guide/sysctl/kernel.rst
*** og/Documentation/admin-guide/sysctl/kernel.rst 2021-03-06 17:09:59.000000000 +0200
--- patched/Documentation/admin-guide/sysctl/kernel.rst 2021-03-06 17:56:46.000000000 +0200
***************
*** 743,750 ****
perf_event_paranoid:
====================
! Controls use of the performance events system by unprivileged
! users (without CAP_SYS_ADMIN). The default value is 2.
=== ==================================================================
-1 Allow use of (almost) all events by all users
--- 743,750 ----
perf_event_paranoid:
====================
! Controls use of the performance events system by
! users. The default value is 2.
=== ==================================================================
-1 Allow use of (almost) all events by all users
***************
*** 758,763 ****
--- 758,767 ----
>=1 Disallow CPU event access by users without CAP_SYS_ADMIN
>=2 Disallow kernel profiling by users without CAP_SYS_ADMIN
+
+ >=3 Disallow all unprivileged perf event use
+
+ >=69 Disallow all perf event use by everyone, including root
=== ==================================================================
diff -rcNP og/include/linux/perf_event.h patched/include/linux/perf_event.h
*** og/include/linux/perf_event.h 2021-03-06 17:51:50.000000000 +0200
--- patched/include/linux/perf_event.h 2021-03-06 17:51:47.000000000 +0200
***************
*** 1246,1251 ****
--- 1246,1256 ----
return sysctl_perf_event_paranoid > 2;
}
+ static inline bool perf_paranoid_all(void)
+ {
+ return sysctl_perf_event_paranoid = 69;
+ }
+
static inline bool perf_paranoid_tracepoint_raw(void)
{
return sysctl_perf_event_paranoid > -1;
diff -rcNP og/kernel/events/core.c patched/kernel/events/core.c
*** og/kernel/events/core.c 2021-03-06 17:55:29.000000000 +0200
--- patched/kernel/events/core.c 2021-03-06 17:55:25.000000000 +0200
***************
*** 405,410 ****
--- 405,411 ----
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
* 3 - disallow all unpriv perf event use
+ * 69 - disallow all perf event use
*/
#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
int sysctl_perf_event_paranoid __read_mostly = 3;
***************
*** 10931,10936 ****
--- 10932,10940 ----
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
+ if (perf_paranoid_all())
+ return -EACCES;
+
if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
return -EACCES;