git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Tue, 16 Aug 2016 16:27:00 +0000 (10:27 -0600)
committer	Tim Gardner <tim.gardner@canonical.com>
	Mon, 20 Feb 2017 03:57:58 +0000 (20:57 -0700)
commit	e4fee368e49128857251af5951c9f2613940d916
tree	8a485405eaef503034e5f38df5c7da3146a201c3	tree
parent	b2c84b7c5ef9add47f259131b9ede22d5f082c2f	commit \| diff

UBUNTU: SAUCE: security,perf: Allow further restriction of perf_event_open

https://lkml.org/lkml/2016/1/11/587

The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity.  Adds the
option to disable perf_event_open() entirely for unprivileged users.
This standalone version doesn't include making the variable read-only
(or renaming it).

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

include/linux/perf_event.h		diff \| blob \| blame \| history
kernel/events/core.c		diff \| blob \| blame \| history
security/Kconfig		diff \| blob \| blame \| history