[d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open

[Dmitry V. Levin]

Hi,

On Thu, Jun 02, 2022 at 07:15:11PM +0400, Alexey Sheplyakov wrote:
> Hi,
> 
> On Thu, Jun 02, 2022 at 03:31:00AM +0300, Vitaly Chikunov wrote:
> > The GRKERNSEC_PERF_HARDEN feature extracted from grsecurity.  Adds the
> > option to disable perf_event_open() entirely for unprivileged users.
> > This standalone version doesn't include making the variable read-only
> > (or renaming it).
> > 
> > When kernel.perf_event_open is set to 3 (or greater), disallow all
> > access to performance events by users without CAP_SYS_ADMIN.
> > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
> > makes this value the default.
> 
> No, thanks. Profiling on Linux is already more diffucult than it should be
> Making things even more complicated is not appreciated at all.

Since the kernel we are talking about is an universal kernel, it has to
suit needs of both those who care about basic security and those who do
profiling.  Thus, a patch that makes this control runtime configurable
is a long awaited one.  The only aspect worth discussing is the default
behaviour.


-- 
ldv