diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-05-29 14:22:32 -0700 |
---|---|---|
committer | Amit Pundir <amit.pundir@linaro.org> | 2016-06-16 13:44:10 +0530 |
commit | 934f4983c760c38be86ea5e9a008db8a66395eca (patch) | |
tree | e93de1843c1186dfb1b7113cf96ce5b612e389fc /security/Kconfig | |
parent | 690829a7aded2df9907edbdbf7c18b0f1556066e (diff) |
FROMLIST: security,perf: Allow further restriction of perf_event_open
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bug: 29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
Diffstat (limited to 'security/Kconfig')
-rw-r--r-- | security/Kconfig | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig index e45237897b43..30a2603e8c85 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the + perf_event_open syscall will be permitted unless it is + changed. + config SECURITY bool "Enable different security models" depends on SYSFS |