| Message ID | 20190622000358.19895-25-matthewgarrett@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Lockdown as an LSM | expand |
On Fri, Jun 21, 2019 at 05:03:53PM -0700, Matthew Garrett wrote: > From: David Howells <dhowells@redhat.com> > > Disallow the use of certain perf facilities that might allow userspace to > access kernel data. > > Signed-off-by: David Howells <dhowells@redhat.com> > Signed-off-by: Matthew Garrett <mjg59@google.com> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: Arnaldo Carvalho de Melo <acme@kernel.org> > --- > include/linux/security.h | 1 + > kernel/events/core.c | 7 +++++++ > security/lockdown/lockdown.c | 1 + > 3 files changed, 9 insertions(+) > > diff --git a/include/linux/security.h b/include/linux/security.h > index de0d37b1fe79..53ea85889a48 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -98,6 +98,7 @@ enum lockdown_reason { > LOCKDOWN_KCORE, > LOCKDOWN_KPROBES, > LOCKDOWN_BPF_READ, > + LOCKDOWN_PERF, > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > > diff --git a/kernel/events/core.c b/kernel/events/core.c > index 72d06e302e99..77f36551756e 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -10731,6 +10731,13 @@ SYSCALL_DEFINE5(perf_event_open, > return -EINVAL; > } > > + err = security_locked_down(LOCKDOWN_PERF); > + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) > + /* REGS_INTR can leak data, lockdown must prevent this */ > + return err; > + else > + err = 0; > + > /* Only privileged users can get physical addresses */ > if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && > perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) With moar capable() ordering fixed... Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index 2eea2cc13117..a7e75c614416 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_KCORE] = "/proc/kcore access", > [LOCKDOWN_KPROBES] = "use of kprobes", > [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", > + [LOCKDOWN_PERF] = "unsafe use of perf", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > > -- > 2.22.0.410.gd8fdbe21b5-goog >
diff --git a/include/linux/security.h b/include/linux/security.h index de0d37b1fe79..53ea85889a48 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -98,6 +98,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index 72d06e302e99..77f36551756e 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10731,6 +10731,13 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; } + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + else + err = 0; + /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2eea2cc13117..a7e75c614416 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", };