git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Tue, 16 Aug 2016 16:27:00 +0000 (10:27 -0600)
committer	Seth Forshee <seth.forshee@canonical.com>
	Tue, 5 Sep 2017 12:33:17 +0000 (07:33 -0500)
commit	cc58fdf5da8816470893f35f73e1fb23f2e9bff4
tree	7c279341d8a0763ee18d93d3be63d14138f4258d	tree
parent	30a4b97613ce7a69379df5808c2d34beb5946fff	commit \| diff

UBUNTU: SAUCE: security,perf: Allow further restriction of perf_event_open

https://lkml.org/lkml/2016/1/11/587

The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity.  Adds the
option to disable perf_event_open() entirely for unprivileged users.
This standalone version doesn't include making the variable read-only
(or renaming it).

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

include/linux/perf_event.h		diff \| blob \| blame \| history
kernel/events/core.c		diff \| blob \| blame \| history
security/Kconfig		diff \| blob \| blame \| history