FROMLIST: security,perf: Allow further restriction of perf_event_open

When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. https://lkml.org/lkml/2016/1/11/587 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Bug: 29054680 Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
author: Jeff Vander Stoep <jeffv@google.com> 2016-05-29 14:22:32 -0700
committer: Amit Pundir <amit.pundir@linaro.org> 2016-06-16 13:44:10 +0530
commit: 934f4983c760c38be86ea5e9a008db8a66395eca (patch)
tree: e93de1843c1186dfb1b7113cf96ce5b612e389fc /security/Kconfig
parent: 690829a7aded2df9907edbdbf7c18b0f1556066e (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig
index e45237897b43..30a2603e8c85 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_PERF_EVENTS_RESTRICT
+	bool "Restrict unprivileged use of performance events"
+	depends on PERF_EVENTS
+	help
+	  If you say Y here, the kernel.perf_event_paranoid sysctl
+	  will be set to 3 by default, and no unprivileged use of the
+	  perf_event_open syscall will be permitted unless it is
+	  changed.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS
author	Jeff Vander Stoep <jeffv@google.com>	2016-05-29 14:22:32 -0700
committer	Amit Pundir <amit.pundir@linaro.org>	2016-06-16 13:44:10 +0530
commit	934f4983c760c38be86ea5e9a008db8a66395eca (patch)
tree	e93de1843c1186dfb1b7113cf96ce5b612e389fc /security/Kconfig
parent	690829a7aded2df9907edbdbf7c18b0f1556066e (diff)