Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3354100ybl;
        Mon, 19 Aug 2019 17:20:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx/9or36Rzxa7epUgGgHsc9ASh9Wml9WM+Gb838B09RhIxESiiYpeu4z50nE1eXq/ujeAz7
X-Received: by 2002:a17:90a:fa0a:: with SMTP id cm10mr23494868pjb.133.1566260440789;
        Mon, 19 Aug 2019 17:20:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566260440; cv=none;
        d=google.com; s=arc-20160816;
        b=0WkzG5ZAhSceTuxF0jAcJEv596liyjoKh+gLRU8K+e18IjMUtmEq3ui1HW5mnpveXR
         DntflHzfn3R7QmC0FN3N5dGqCsnzE+Bipt9HoHQ5suaEnEK4DE3OERI836KHRMp8ZCUw
         oOtOgDOnBQ9OIajgmc+Z2I+24IU4A3N8azh7afc1Z5Nz3eXNB/cfT9IbQTELxNJmI8Hq
         xcezeOfM8w8YEIrcQ+mWlo5UNFtt6DTHlrfLRJqvRxUbNDmLAemFECivLLHumxPH0WFD
         raShBkk++Tdyxp+RfYQioTcn1w8wJ5/Rfi57yInrYndHhi3YyAd7oRZXXHE2u23fkE0H
         bNhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=;
        b=N6y0zWd2jhYiwg09WVXmF+YgPNcRQvvfWfTcvl5LeWavvl0+H4T6qYrBDQ0XY5pZIs
         82MTYV2uFpmj+kP763zvbKOTsDFNQTJaMGV5qvYou8iacbnm5/khxKC0YB+HEcyoin0x
         tX9rPbb1gGz0gF+tymhabRuNL7Vid7OgI9Kc+0pjmMpjovFf9wc/4gt04HR2QuUK1rMZ
         eJ+E4ZgGSRrarfCAAkW5a7ey951NnkVyhq1pAg44Nsdsj/GhXthTJ9ez/lVuKDMkH1FK
         9ymKdHFP4Jw87Jg+mcynanvVRxVhsQcLvwDF+Op48iiSaLzOHCR+sFbR1CHFNztt82fq
         pMZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=EHQV+bc9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i11si10868983pgk.309.2019.08.19.17.20.25;
        Mon, 19 Aug 2019 17:20:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=EHQV+bc9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729175AbfHTATP (ORCPT <rfc822;schlichte.alexander@gmail.com>
        + 99 others); Mon, 19 Aug 2019 20:19:15 -0400
Received: from mail-pl1-f201.google.com ([209.85.214.201]:36193 "EHLO
        mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729160AbfHTATN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Aug 2019 20:19:13 -0400
Received: by mail-pl1-f201.google.com with SMTP id a5so2944516pla.3
        for <linux-kernel@vger.kernel.org>; Mon, 19 Aug 2019 17:19:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=;
        b=EHQV+bc9TXTCrfRPG8bkkaSnOFigWkj9dXi1eDR7rjHTlRlucdTw/UFKyyxdsYbmAC
         FQckkCxclwBYXwS7LW0xVdfnDOjrk4D8osCtDmyLWja8qVv39kB771nlwhKy0fcM8G/d
         YmZ0EcFswmBwf2D5bwT5q/y9xDL5m/FPXF68lP7fmzaNksewzCj6csVrGoZjsRGf+qXb
         5CzOT8Q54XyNEh1X2eapAkOy4RbNi7IpKt4UDNssbJ3JWTcRfIrAEZLPnC0/oy9YKtV7
         wuN0W8Y/EgFaVlLlFRDlgYNHXkJJyKjRZWlwPzuoLE+OmyVyAyz9gZFzMZUq5X3duq8X
         nhYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=SWzpT147tCKuH/oJTsJ3VrcaxfdUFKv8ds0JG4GiFSY=;
        b=L1pylRScY4lfrkeKT/7pCSnl94Ihedn9R2/nk0BdkbKEd5vYEmCfbrF1QW2AtKbwA0
         GGabHV2oNiIJ9RInTUqiKGNIM/JOH9PkzbOXpdIwT0LoNDSBp8dQQqs4SobYJm4krsaS
         hZGUsANU0tSAGPLxdkb/ut5kPsCjUskaGRAdgZPJqZQyMM72ATxrWxlWA9JMhCdEKJ9U
         GrNX2ubkAfThq53FZP6JOza1SFasGXk5b29JJO2HupdV9UVUHYs/B+bWiw/EGWgAl1hT
         CxDk96EbhzSy4e0AzIb3OmKxGGG3JOJ4zV48iIf6aAY1CWaX1wBk00P+e4jkLpo9nK12
         rSZg==
X-Gm-Message-State: APjAAAX/tVP1wm6fuznOudXogCDWgYLYeA9GikAUzrrinMXYF2nXebWk
        PTC+icRqOJe9yXIXk6uluMBD0zv48SD9vy5fm2BfOg==
X-Received: by 2002:a63:7709:: with SMTP id s9mr21692152pgc.296.1566260352401;
 Mon, 19 Aug 2019 17:19:12 -0700 (PDT)
Date:   Mon, 19 Aug 2019 17:18:00 -0700
In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com>
Message-Id: <20190820001805.241928-25-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190820001805.241928-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.23.0.rc1.153.gdeed80330f-goog
Subject: [PATCH V40 24/29] lockdown: Lock down perf when in confidentiality mode
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
        David Howells <dhowells@redhat.com>,
        Matthew Garrett <mjg59@google.com>,
        Kees Cook <keescook@chromium.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

Disallow the use of certain perf facilities that might allow userspace to
access kernel data.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
---
 include/linux/security.h     | 1 +
 kernel/events/core.c         | 7 +++++++
 security/lockdown/lockdown.c | 1 +
 3 files changed, 9 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index e604f4c67f03..b94f1e697537 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -119,6 +119,7 @@ enum lockdown_reason {
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
 	LOCKDOWN_BPF_READ,
+	LOCKDOWN_PERF,
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };
 
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f85929ce13be..8732f980a4fc 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10798,6 +10798,13 @@ SYSCALL_DEFINE5(perf_event_open,
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
 		return -EACCES;
 
+	err = security_locked_down(LOCKDOWN_PERF);
+	if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR))
+		/* REGS_INTR can leak data, lockdown must prevent this */
+		return err;
+
+	err = 0;
+
 	/*
 	 * In cgroup mode, the pid argument is used to pass the fd
 	 * opened to the cgroup directory in cgroupfs. The cpu argument
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 2397772c56bd..3d7b1039457b 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -34,6 +34,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",
 	[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
+	[LOCKDOWN_PERF] = "unsafe use of perf",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };
 
-- 
2.23.0.rc1.153.gdeed80330f-goog