Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3354100ybl; Mon, 19 Aug 2019 17:20:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqx/9or36Rzxa7epUgGgHsc9ASh9Wml9WM+Gb838B09RhIxESiiYpeu4z50nE1eXq/ujeAz7 X-Received: by 2002:a17:90a:fa0a:: with SMTP id cm10mr23494868pjb.133.1566260440789; Mon, 19 Aug 2019 17:20:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566260440; cv=none; d=google.com; s=arc-20160816; b=0WkzG5ZAhSceTuxF0jAcJEv596liyjoKh+gLRU8K+e18IjMUtmEq3ui1HW5mnpveXR DntflHzfn3R7QmC0FN3N5dGqCsnzE+Bipt9HoHQ5suaEnEK4DE3OERI836KHRMp8ZCUw oOtOgDOnBQ9OIajgmc+Z2I+24IU4A3N8azh7afc1Z5Nz3eXNB/cfT9IbQTELxNJmI8Hq xcezeOfM8w8YEIrcQ+mWlo5UNFtt6DTHlrfLRJqvRxUbNDmLAemFECivLLHumxPH0WFD raShBkk++Tdyxp+RfYQioTcn1w8wJ5/Rfi57yInrYndHhi3YyAd7oRZXXHE2u23fkE0H bNhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=; b=N6y0zWd2jhYiwg09WVXmF+YgPNcRQvvfWfTcvl5LeWavvl0+H4T6qYrBDQ0XY5pZIs 82MTYV2uFpmj+kP763zvbKOTsDFNQTJaMGV5qvYou8iacbnm5/khxKC0YB+HEcyoin0x tX9rPbb1gGz0gF+tymhabRuNL7Vid7OgI9Kc+0pjmMpjovFf9wc/4gt04HR2QuUK1rMZ eJ+E4ZgGSRrarfCAAkW5a7ey951NnkVyhq1pAg44Nsdsj/GhXthTJ9ez/lVuKDMkH1FK 9ymKdHFP4Jw87Jg+mcynanvVRxVhsQcLvwDF+Op48iiSaLzOHCR+sFbR1CHFNztt82fq pMZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EHQV+bc9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i11si10868983pgk.309.2019.08.19.17.20.25; Mon, 19 Aug 2019 17:20:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EHQV+bc9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729175AbfHTATP (ORCPT + 99 others); Mon, 19 Aug 2019 20:19:15 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:36193 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729160AbfHTATN (ORCPT ); Mon, 19 Aug 2019 20:19:13 -0400 Received: by mail-pl1-f201.google.com with SMTP id a5so2944516pla.3 for ; Mon, 19 Aug 2019 17:19:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=; b=EHQV+bc9TXTCrfRPG8bkkaSnOFigWkj9dXi1eDR7rjHTlRlucdTw/UFKyyxdsYbmAC FQckkCxclwBYXwS7LW0xVdfnDOjrk4D8osCtDmyLWja8qVv39kB771nlwhKy0fcM8G/d YmZ0EcFswmBwf2D5bwT5q/y9xDL5m/FPXF68lP7fmzaNksewzCj6csVrGoZjsRGf+qXb 5CzOT8Q54XyNEh1X2eapAkOy4RbNi7IpKt4UDNssbJ3JWTcRfIrAEZLPnC0/oy9YKtV7 wuN0W8Y/EgFaVlLlFRDlgYNHXkJJyKjRZWlwPzuoLE+OmyVyAyz9gZFzMZUq5X3duq8X nhYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=; b=L1pylRScY4lfrkeKT/7pCSnl94Ihedn9R2/nk0BdkbKEd5vYEmCfbrF1QW2AtKbwA0 GGabHV2oNiIJ9RInTUqiKGNIM/JOH9PkzbOXpdIwT0LoNDSBp8dQQqs4SobYJm4krsaS hZGUsANU0tSAGPLxdkb/ut5kPsCjUskaGRAdgZPJqZQyMM72ATxrWxlWA9JMhCdEKJ9U GrNX2ubkAfThq53FZP6JOza1SFasGXk5b29JJO2HupdV9UVUHYs/B+bWiw/EGWgAl1hT CxDk96EbhzSy4e0AzIb3OmKxGGG3JOJ4zV48iIf6aAY1CWaX1wBk00P+e4jkLpo9nK12 rSZg== X-Gm-Message-State: APjAAAX/tVP1wm6fuznOudXogCDWgYLYeA9GikAUzrrinMXYF2nXebWk PTC+icRqOJe9yXIXk6uluMBD0zv48SD9vy5fm2BfOg== X-Received: by 2002:a63:7709:: with SMTP id s9mr21692152pgc.296.1566260352401; Mon, 19 Aug 2019 17:19:12 -0700 (PDT) Date: Mon, 19 Aug 2019 17:18:00 -0700 In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> Message-Id: <20190820001805.241928-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190820001805.241928-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.23.0.rc1.153.gdeed80330f-goog Subject: [PATCH V40 24/29] lockdown: Lock down perf when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Matthew Garrett , Kees Cook , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Signed-off-by: James Morris --- include/linux/security.h | 1 + kernel/events/core.c | 7 +++++++ security/lockdown/lockdown.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index e604f4c67f03..b94f1e697537 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -119,6 +119,7 @@ enum lockdown_reason { LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, + LOCKDOWN_PERF, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/events/core.c b/kernel/events/core.c index f85929ce13be..8732f980a4fc 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10798,6 +10798,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2397772c56bd..3d7b1039457b 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM", + [LOCKDOWN_PERF] = "unsafe use of perf", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog