Allow further restriction of perf events

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening

Other

567 stars 56 forks source link

Allow further restriction of perf events #20

Closed madaidan closed 4 years ago

madaidan commented 4 years ago

Perf events expose tons of attack surface and have been the cause of many vulnerabilities. linux-hardened restricts these to root by default but this still allows the root user to attack the kernel.

This disallows all access to perf events by all users, including root, when the kernel.perf_event_open sysctl is set to 4 to reduce attack surface.

This keeps the default value as 3 as to not cause too much breakage but users can optionally increase the value.

Bernhard40 commented 4 years ago

FYI: there will be upcoming changes related to perf_event_paranoid in linux 5.5: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da97e18458fb42d7c00fac5fd1c56a3896ec666e

anthraxx commented 4 years ago

can we get this adjusted for the latest tree, as there have been perf code changes

madaidan commented 4 years ago

Oops... I'm not sure what I did but it broke. I think I'll just resend it.

madaidan commented 4 years ago

https://github.com/anthraxx/linux-hardened/pull/31