summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-08-20 02:18:00 +0200
committerJames Morris <jmorris@namei.org>2019-08-20 06:54:16 +0200
commitb0c8fdc7fdb77586c3d1937050925b960743306e (patch)
treebdd70cb78f6630c2e98a06aaae45600fcbb03f89 /kernel
parentbpf: Restrict bpf when kernel lockdown is in confidentiality mode (diff)
downloadlinux-b0c8fdc7fdb77586c3d1937050925b960743306e.tar.xz
linux-b0c8fdc7fdb77586c3d1937050925b960743306e.zip
lockdown: Lock down perf when in confidentiality mode
Disallow the use of certain perf facilities that might allow userspace to access kernel data. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/events/core.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f85929ce13be..8732f980a4fc 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10798,6 +10798,13 @@ SYSCALL_DEFINE5(perf_event_open,
perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
return -EACCES;
+ err = security_locked_down(LOCKDOWN_PERF);
+ if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR))
+ /* REGS_INTR can leak data, lockdown must prevent this */
+ return err;
+
+ err = 0;
+
/*
* In cgroup mode, the pid argument is used to pass the fd
* opened to the cgroup directory in cgroupfs. The cpu argument