This is recommended by KSPP, Lynis, and others. Indeed, there is no legitimate reason why an unprivileged user on IPFire should do any profiling. Unfortunately, this change never landed in the mainline kernel, hence a distribution patch is necessary.
Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/etc/sysctl.conf | 3 + config/rootfiles/common/aarch64/linux | 1 + config/rootfiles/common/armv6l/linux | 1 + config/rootfiles/common/x86_64/linux | 1 + lfs/linux | 3 + ...rther-restriction-of-perf_event_open.patch | 77 +++++++++++++++++++ 6 files changed, 86 insertions(+) create mode 100644 src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index c8c775d13..5fc3e3d89 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
# Include PID in file names of generated core dumps kernel.core_uses_pid = 1 + +# Block non-uid-0 profiling +kernel.perf_event_paranoid = 3 diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 69413f49d..f38a12a24 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -13238,6 +13238,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux index fd6cb5041..1d6a34325 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -13710,6 +13710,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index e677e4c06..a3edadb3b 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -13698,6 +13698,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/lfs/linux b/lfs/linux index 2a7692b67..4d14baf87 100644 --- a/lfs/linux +++ b/lfs/linux @@ -131,6 +131,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # fix Boot with enabled usercopy hardening cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
+ # Patch performance monitoring restrictions to allow further hardening + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch + ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch new file mode 100644 index 000000000..9cf1f1cc9 --- /dev/null +++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch @@ -0,0 +1,77 @@ +From: Jeff Vander Stoep jeffv@google.com +Date: Wed, 27 Jul 2016 07:45:46 -0700 +Message-Id: 1469630746-32279-1-git-send-email-jeffv@google.com +Subject: [kernel-hardening] [PATCH 1/2] security, + perf: allow further restriction of perf_event_open + +When kernel.perf_event_paranoid is set to 3 (or greater), disallow +all access to performance events by users without CAP_SYS_ADMIN. + +This new level of restriction is intended to reduce the attack +surface of the kernel. Perf is a valuable tool for developers but +is generally unnecessary and unused on production systems. Perf may +open up an attack vector to vulnerable device-specific drivers as +recently demonstrated in CVE-2016-0805, CVE-2016-0819, +CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of +restriction allows for a safe default to be set on production systems +while leaving a simple means for developers to grant access [1]. + +This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad +Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches +have been modified and split up to address on-list feedback. + +kernel.perf_event_paranoid=3 is the default on both Debian [2] and +Android [3]. + +[1] Making perf available to developers on Android: +https://android-review.googlesource.com/#/c/234400/ +[2] Original patch by Ben Hutchings: +https://lkml.org/lkml/2016/1/11/587 +[3] https://android-review.googlesource.com/#/c/234743/ + +Signed-off-by: Jeff Vander Stoep jeffv@google.com +Reviewed-by: Kees Cook keescook@chromium.org +--- + Documentation/sysctl/kernel.txt | 1 + + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 4 ++++ + 3 files changed, 10 insertions(+) + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 8ed43261..1e2080f 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) + return sysctl_perf_event_paranoid > 1; + } + ++static inline bool perf_paranoid_any(void) ++{ ++ return sysctl_perf_event_paranoid > 2; ++} ++ + extern void perf_event_init(void); + extern void perf_tp_event(u16 event_type, u64 count, void *record, + int entry_size, struct pt_regs *regs, +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 356a6c7..52bd100 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ + int sysctl_perf_event_paranoid __read_mostly = 2; + +@@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, + if (flags & ~PERF_FLAG_ALL) + return -EINVAL; + ++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ + err = perf_copy_attr(attr_uptr, &attr); + if (err) + return err;
Hello,
On 30 Jan 2022, at 16:59, Peter Müller peter.mueller@ipfire.org wrote:
This is recommended by KSPP, Lynis, and others. Indeed, there is no legitimate reason why an unprivileged user on IPFire should do any profiling. Unfortunately, this change never landed in the mainline kernel, hence a distribution patch is necessary.
Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 3 + config/rootfiles/common/aarch64/linux | 1 + config/rootfiles/common/armv6l/linux | 1 + config/rootfiles/common/x86_64/linux | 1 + lfs/linux | 3 + ...rther-restriction-of-perf_event_open.patch | 77 +++++++++++++++++++ 6 files changed, 86 insertions(+) create mode 100644 src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index c8c775d13..5fc3e3d89 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
# Include PID in file names of generated core dumps kernel.core_uses_pid = 1
+# Block non-uid-0 profiling +kernel.perf_event_paranoid = 3 diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 69413f49d..f38a12a24 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -13238,6 +13238,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
#lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux index fd6cb5041..1d6a34325 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -13710,6 +13710,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index e677e4c06..a3edadb3b 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -13698,6 +13698,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/lfs/linux b/lfs/linux index 2a7692b67..4d14baf87 100644 --- a/lfs/linux +++ b/lfs/linux @@ -131,6 +131,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # fix Boot with enabled usercopy hardening cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
- # Patch performance monitoring restrictions to allow further hardening
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch new file mode 100644 index 000000000..9cf1f1cc9 --- /dev/null +++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch @@ -0,0 +1,77 @@ +From: Jeff Vander Stoep jeffv@google.com +Date: Wed, 27 Jul 2016 07:45:46 -0700 +Message-Id: 1469630746-32279-1-git-send-email-jeffv@google.com +Subject: [kernel-hardening] [PATCH 1/2] security,
- perf: allow further restriction of perf_event_open
Where is the second part of this patchset? Is it not relevant?
+When kernel.perf_event_paranoid is set to 3 (or greater), disallow +all access to performance events by users without CAP_SYS_ADMIN.
+This new level of restriction is intended to reduce the attack +surface of the kernel. Perf is a valuable tool for developers but +is generally unnecessary and unused on production systems. Perf may +open up an attack vector to vulnerable device-specific drivers as +recently demonstrated in CVE-2016-0805, CVE-2016-0819, +CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of +restriction allows for a safe default to be set on production systems +while leaving a simple means for developers to grant access [1].
+This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad +Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches +have been modified and split up to address on-list feedback.
+kernel.perf_event_paranoid=3 is the default on both Debian [2] and +Android [3].
+[1] Making perf available to developers on Android: +https://android-review.googlesource.com/#/c/234400/ +[2] Original patch by Ben Hutchings: +https://lkml.org/lkml/2016/1/11/587 +[3] https://android-review.googlesource.com/#/c/234743/
+Signed-off-by: Jeff Vander Stoep jeffv@google.com +Reviewed-by: Kees Cook keescook@chromium.org +---
- Documentation/sysctl/kernel.txt | 1 +
- include/linux/perf_event.h | 5 +++++
- kernel/events/core.c | 4 ++++
- 3 files changed, 10 insertions(+)
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 8ed43261..1e2080f 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void)
- return sysctl_perf_event_paranoid > 1;
- }
++static inline bool perf_paranoid_any(void) ++{ ++ return sysctl_perf_event_paranoid > 2; ++} ++
- extern void perf_event_init(void);
- extern void perf_tp_event(u16 event_type, u64 count, void *record,
int entry_size, struct pt_regs *regs,+diff --git a/kernel/events/core.c b/kernel/events/core.c +index 356a6c7..52bd100 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu;
- 0 - disallow raw tracepoint access for unpriv
- 1 - disallow cpu events for unpriv
- 2 - disallow kernel profiling for unpriv
++ * 3 - disallow all unpriv perf event use
- */
- int sysctl_perf_event_paranoid __read_mostly = 2;
+@@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open,
- if (flags & ~PERF_FLAG_ALL)
return -EINVAL;++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++
- err = perf_copy_attr(attr_uptr, &attr);
- if (err)
return err;-- 2.31.1
-Michael
Hello Michael,
thanks for your reply.
Hello,
On 30 Jan 2022, at 16:59, Peter Müller peter.mueller@ipfire.org wrote:
This is recommended by KSPP, Lynis, and others. Indeed, there is no legitimate reason why an unprivileged user on IPFire should do any profiling. Unfortunately, this change never landed in the mainline kernel, hence a distribution patch is necessary.
Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 3 + config/rootfiles/common/aarch64/linux | 1 + config/rootfiles/common/armv6l/linux | 1 + config/rootfiles/common/x86_64/linux | 1 + lfs/linux | 3 + ...rther-restriction-of-perf_event_open.patch | 77 +++++++++++++++++++ 6 files changed, 86 insertions(+) create mode 100644 src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index c8c775d13..5fc3e3d89 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
# Include PID in file names of generated core dumps kernel.core_uses_pid = 1
+# Block non-uid-0 profiling +kernel.perf_event_paranoid = 3 diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 69413f49d..f38a12a24 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -13238,6 +13238,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
Hm. I wonder where it came from. Perhaps I forgot a "./make.sh clean" after the first attempt.
Will check and report back.
#lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux index fd6cb5041..1d6a34325 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -13710,6 +13710,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index e677e4c06..a3edadb3b 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -13698,6 +13698,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/linux/perf #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h #lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h #lib/modules/KVER-ipfire/build/include/linux/personality.h #lib/modules/KVER-ipfire/build/include/linux/pfn.h diff --git a/lfs/linux b/lfs/linux index 2a7692b67..4d14baf87 100644 --- a/lfs/linux +++ b/lfs/linux @@ -131,6 +131,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # fix Boot with enabled usercopy hardening cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
- # Patch performance monitoring restrictions to allow further hardening
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch new file mode 100644 index 000000000..9cf1f1cc9 --- /dev/null +++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch @@ -0,0 +1,77 @@ +From: Jeff Vander Stoep jeffv@google.com +Date: Wed, 27 Jul 2016 07:45:46 -0700 +Message-Id: 1469630746-32279-1-git-send-email-jeffv@google.com +Subject: [kernel-hardening] [PATCH 1/2] security,
- perf: allow further restriction of perf_event_open
Where is the second part of this patchset? Is it not relevant?
It is not relevant indeed. Should I remove the "1/2" to avoid confusions?
Thanks, and best regards, Peter Müller
+When kernel.perf_event_paranoid is set to 3 (or greater), disallow +all access to performance events by users without CAP_SYS_ADMIN.
+This new level of restriction is intended to reduce the attack +surface of the kernel. Perf is a valuable tool for developers but +is generally unnecessary and unused on production systems. Perf may +open up an attack vector to vulnerable device-specific drivers as +recently demonstrated in CVE-2016-0805, CVE-2016-0819, +CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of +restriction allows for a safe default to be set on production systems +while leaving a simple means for developers to grant access [1].
+This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad +Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches +have been modified and split up to address on-list feedback.
+kernel.perf_event_paranoid=3 is the default on both Debian [2] and +Android [3].
+[1] Making perf available to developers on Android: +https://android-review.googlesource.com/#/c/234400/ +[2] Original patch by Ben Hutchings: +https://lkml.org/lkml/2016/1/11/587 +[3] https://android-review.googlesource.com/#/c/234743/
+Signed-off-by: Jeff Vander Stoep jeffv@google.com +Reviewed-by: Kees Cook keescook@chromium.org +---
- Documentation/sysctl/kernel.txt | 1 +
- include/linux/perf_event.h | 5 +++++
- kernel/events/core.c | 4 ++++
- 3 files changed, 10 insertions(+)
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 8ed43261..1e2080f 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void)
- return sysctl_perf_event_paranoid > 1;
- }
++static inline bool perf_paranoid_any(void) ++{ ++ return sysctl_perf_event_paranoid > 2; ++} ++
- extern void perf_event_init(void);
- extern void perf_tp_event(u16 event_type, u64 count, void *record,
int entry_size, struct pt_regs *regs,+diff --git a/kernel/events/core.c b/kernel/events/core.c +index 356a6c7..52bd100 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu;
- 0 - disallow raw tracepoint access for unpriv
- 1 - disallow cpu events for unpriv
- 2 - disallow kernel profiling for unpriv
++ * 3 - disallow all unpriv perf event use
- */
- int sysctl_perf_event_paranoid __read_mostly = 2;
+@@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open,
- if (flags & ~PERF_FLAG_ALL)
return -EINVAL;++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++
- err = perf_copy_attr(attr_uptr, &attr);
- if (err)
return err;-- 2.31.1
-Michael
Hello Michael,
[...]
#lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
Hm. I wonder where it came from. Perhaps I forgot a "./make.sh clean" after the first attempt.
Will check and report back.
after running a clean build, this file stays present. It's attached to this mail.
It is odd to see this happening, as the additional "patch" command introduced by this patch does not differ from those already present in the kernel's LFS file, except for the patch file itself.
Can you give me any hint on where to look next?
Thanks, and best regards, Peter Müller
Hello,
On 4 Feb 2022, at 13:45, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
[...]
#lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
Hm. I wonder where it came from. Perhaps I forgot a "./make.sh clean" after the first attempt.
Will check and report back.
after running a clean build, this file stays present. It's attached to this mail.
It is odd to see this happening, as the additional "patch" command introduced by this patch does not differ from those already present in the kernel's LFS file, except for the patch file itself.
If the patch doesn’t match exactly, patch will create backup files so that you can fix anything manually if things broke.
What you can do is either to rediff the patch that it applies cleanly, or you can use this option:
--no-backup-if-mismatch
Do not back up a file if the patch does not match the file exactly and if backups are not otherwise requested. This is the default if patch is conforming to POSIX.
This should however be the default.
-Michael
Can you give me any hint on where to look next?
Thanks, and best regards, Peter Müller<perf_event.h.orig>
Such .orig files are created by patch if a hunk not apply without fuzzing. rebase the patch to the current kernel source should help.
Arne
Am 2022-02-04 17:56, schrieb Michael Tremer:
Hello,
On 4 Feb 2022, at 13:45, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
[...]
#lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
Hm. I wonder where it came from. Perhaps I forgot a "./make.sh clean" after the first attempt.
Will check and report back.
after running a clean build, this file stays present. It's attached to this mail.
It is odd to see this happening, as the additional "patch" command introduced by this patch does not differ from those already present in the kernel's LFS file, except for the patch file itself.
If the patch doesn’t match exactly, patch will create backup files so that you can fix anything manually if things broke.
What you can do is either to rediff the patch that it applies cleanly, or you can use this option:
--no-backup-if-mismatch Do not back up a file if the patch does not match the file exactly and if backups are not otherwise requested. This is the default if patch is conforming to POSIX.This should however be the default.
-Michael
Can you give me any hint on where to look next?
Thanks, and best regards, Peter Müller<perf_event.h.orig>
Hello Arne, hello Michael,
thanks for your replies.
Convinced there is no way around rebasing the kernel patch, I will do so and submit a second version within the next few days. :-)
All the best, Peter Müller
Such .orig files are created by patch if a hunk not apply without fuzzing. rebase the patch to the current kernel source should help.
Arne
Am 2022-02-04 17:56, schrieb Michael Tremer:
Hello,
On 4 Feb 2022, at 13:45, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
[...]
#lib/modules/KVER-ipfire/build/include/linux/perf_event.h +#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
We should not install any files like this.
Hm. I wonder where it came from. Perhaps I forgot a "./make.sh clean" after the first attempt.
Will check and report back.
after running a clean build, this file stays present. It's attached to this mail.
It is odd to see this happening, as the additional "patch" command introduced by this patch does not differ from those already present in the kernel's LFS file, except for the patch file itself.
If the patch doesn’t match exactly, patch will create backup files so that you can fix anything manually if things broke.
What you can do is either to rediff the patch that it applies cleanly, or you can use this option:
--no-backup-if-mismatch
Do not back up a file if the patch does not match the file exactly and if backups are not otherwise requested. This is the default if patch is conforming to POSIX.
This should however be the default.
-Michael
Can you give me any hint on where to look next?
Thanks, and best regards, Peter Müller<perf_event.h.orig>
-
Arne Fitzenreiter -
Michael Tremer -
Peter Müller