diff options
author | David Howells <dhowells@redhat.com> | 2019-08-20 02:18:00 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2019-08-20 06:54:16 +0200 |
commit | b0c8fdc7fdb77586c3d1937050925b960743306e (patch) | |
tree | bdd70cb78f6630c2e98a06aaae45600fcbb03f89 /kernel | |
parent | bpf: Restrict bpf when kernel lockdown is in confidentiality mode (diff) | |
download | linux-b0c8fdc7fdb77586c3d1937050925b960743306e.tar.xz linux-b0c8fdc7fdb77586c3d1937050925b960743306e.zip |
lockdown: Lock down perf when in confidentiality mode
Disallow the use of certain perf facilities that might allow userspace to
access kernel data.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/events/core.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index f85929ce13be..8732f980a4fc 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -10798,6 +10798,13 @@ SYSCALL_DEFINE5(perf_event_open, perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; + err = security_locked_down(LOCKDOWN_PERF); + if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) + /* REGS_INTR can leak data, lockdown must prevent this */ + return err; + + err = 0; + /* * In cgroup mode, the pid argument is used to pass the fd * opened to the cgroup directory in cgroupfs. The cpu argument |