lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1466180207.849.50.camel@gmail.com>
Date:	Fri, 17 Jun 2016 12:16:47 -0400
From:	Daniel Micay <danielmicay@...il.com>
To:	kernel-hardening@...ts.openwall.com,
	Kees Cook <keescook@...omium.org>
Cc:	Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...nel.org>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further
 restriction of perf_event_open

On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote:
> On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote:
> > Hi guys,
> > 
> > This patch wasn't originally CCed to you (I'm fixing that now).
> > Would
> > you consider taking this into the perf tree? 
> 
> No.
> 
> > It's been in active use
> > in both Debian and Android for a while now.
> 
> Very nice of you all to finally inform us I suppose :/

It was in Debian a lot longer than Android, although the Android feature
came from a downstream variant where it was done much earlier:

https://android-review.googlesource.com/#/c/233736/

> > > > > 
> > > > > access to performance events by users without CAP_SYS_ADMIN.
> > > > > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> > > > > makes this value the default.
> > > > > 
> > > > > This is based on a similar feature in grsecurity
> > > > > (CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include
> > > > > making
> > > > > the variable read-only.  It also allows enabling further
> > > > > restriction
> > > > > at run-time regardless of whether the default is changed.
> 
> This Changelog is completely devoid of information. _WHY_ are you
> doing
> this?

Attack surface reduction. It's possible to use seccomp-bpf for some
limited cases, but it's not flexible enough. There are lots of
information leaks and local privilege escalation vulnerabilities via
perf events, yet on most Linux installs it's not ever being used. So
turning it off by default on those installs is an easy win. The holes
are reduced to root -> kernel (and that's not a meaningful boundary in
mainline right now - although as is the case here, Debian has a bunch of
securelevel patches for that).
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ