From patchwork Sun Jan 30 16:59:47 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5019
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Jmy9R4HVYz3wsl
	for <patchwork@web04.haj.ipfire.org>; Sun, 30 Jan 2022 16:59:55 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Jmy9Q0HVjz29H;
	Sun, 30 Jan 2022 16:59:54 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Jmy9P70sMz2xXd;
	Sun, 30 Jan 2022 16:59:53 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Jmy9P0qFFz2xHs
 for <development@lists.ipfire.org>; Sun, 30 Jan 2022 16:59:53 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Jmy9M1Bh7z29H
 for <development@lists.ipfire.org>; Sun, 30 Jan 2022 16:59:50 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1643561991;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=3KoWKjmGpY0yp5xnMJLcl3hbavGh2FqiJM2RJdG1ycQ=;
 b=QBUr9FrLACgVVlNjL3UFOKyXmWuRRzHZXk33XAZ7js363QXhAN/HbJMGzpX+I9gm3TsCIi
 YnGqCKHOdtG9YrCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1643561991;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=3KoWKjmGpY0yp5xnMJLcl3hbavGh2FqiJM2RJdG1ycQ=;
 b=rF/+o/O8WqykfNOAEvPUD0KkJmo7ynEBZSXILVp0l2D9Vx2wV2or5jlWLZMjUOpZAqGcfx
 y6FLo3JNhJBhAGaR3CRs5y9U4l9MQg0S3lfp9GxDBrsU4EbaGDsLjLLiQnDCMfXSgvowk4
 WRAk5d66G478+vM4HEZgPV9gIXKj//ZlcV/Mfbel6UyOYTyhOB/3ApIQVOTKWuucPFWbqB
 iJhOdcM7zsqqm0IVLIutuhOQyFQXyGXZJCTREmZ5+yVwKdF1Ip+MQZoUsuP1/aSvIWh170
 zut2B4YMjb4KeX5zZA7RORu1IXzJib6CHk0L9EGQRo4QpYk4H8wjAJ6T0DjNIw==
Message-ID: <0135a62d-7477-1085-1e75-451acc3ffa6d@ipfire.org>
Date: Sun, 30 Jan 2022 16:59:47 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] Kernel: Block non-UID-0 profiling completely
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.

Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/etc/sysctl.conf                        |  3 +
 config/rootfiles/common/aarch64/linux         |  1 +
 config/rootfiles/common/armv6l/linux          |  1 +
 config/rootfiles/common/x86_64/linux          |  1 +
 lfs/linux                                     |  3 +
 ...rther-restriction-of-perf_event_open.patch | 77 +++++++++++++++++++
 6 files changed, 86 insertions(+)
 create mode 100644 src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index c8c775d13..5fc3e3d89 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
 
 # Include PID in file names of generated core dumps
 kernel.core_uses_pid = 1
+
+# Block non-uid-0 profiling
+kernel.perf_event_paranoid = 3
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index 69413f49d..f38a12a24 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -13238,6 +13238,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/linux/perf
 #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h
 #lib/modules/KVER-ipfire/build/include/linux/perf_event.h
+#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
 #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h
 #lib/modules/KVER-ipfire/build/include/linux/personality.h
 #lib/modules/KVER-ipfire/build/include/linux/pfn.h
diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux
index fd6cb5041..1d6a34325 100644
--- a/config/rootfiles/common/armv6l/linux
+++ b/config/rootfiles/common/armv6l/linux
@@ -13710,6 +13710,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/linux/perf
 #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h
 #lib/modules/KVER-ipfire/build/include/linux/perf_event.h
+#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
 #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h
 #lib/modules/KVER-ipfire/build/include/linux/personality.h
 #lib/modules/KVER-ipfire/build/include/linux/pfn.h
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index e677e4c06..a3edadb3b 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -13698,6 +13698,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/linux/perf
 #lib/modules/KVER-ipfire/build/include/linux/perf/arm_pmu.h
 #lib/modules/KVER-ipfire/build/include/linux/perf_event.h
+#lib/modules/KVER-ipfire/build/include/linux/perf_event.h.orig
 #lib/modules/KVER-ipfire/build/include/linux/perf_regs.h
 #lib/modules/KVER-ipfire/build/include/linux/personality.h
 #lib/modules/KVER-ipfire/build/include/linux/pfn.h
diff --git a/lfs/linux b/lfs/linux
index 2a7692b67..4d14baf87 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -131,6 +131,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# fix Boot with enabled usercopy hardening
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
 
+	# Patch performance monitoring restrictions to allow further hardening
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
new file mode 100644
index 000000000..9cf1f1cc9
--- /dev/null
+++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
@@ -0,0 +1,77 @@
+From: Jeff Vander Stoep <jeffv@google.com>
+Date: Wed, 27 Jul 2016 07:45:46 -0700
+Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com>
+Subject: [kernel-hardening] [PATCH 1/2] security,
+	perf: allow further restriction of perf_event_open
+
+When kernel.perf_event_paranoid is set to 3 (or greater), disallow
+all access to performance events by users without CAP_SYS_ADMIN.
+
+This new level of restriction is intended to reduce the attack
+surface of the kernel. Perf is a valuable tool for developers but
+is generally unnecessary and unused on production systems. Perf may
+open up an attack vector to vulnerable device-specific drivers as
+recently demonstrated in CVE-2016-0805, CVE-2016-0819,
+CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of
+restriction allows for a safe default to be set on production systems
+while leaving a simple means for developers to grant access [1].
+
+This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad
+Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches
+have been modified and split up to address on-list feedback.
+
+kernel.perf_event_paranoid=3 is the default on both Debian [2] and
+Android [3].
+
+[1] Making perf available to developers on Android:
+https://android-review.googlesource.com/#/c/234400/
+[2] Original patch by Ben Hutchings:
+https://lkml.org/lkml/2016/1/11/587
+[3] https://android-review.googlesource.com/#/c/234743/
+
+Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+---
+ Documentation/sysctl/kernel.txt | 1 +
+ include/linux/perf_event.h      | 5 +++++
+ kernel/events/core.c            | 4 ++++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
+index 8ed43261..1e2080f 100644
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void)
+ 	return sysctl_perf_event_paranoid > 1;
+ }
+ 
++static inline bool perf_paranoid_any(void)
++{
++	return sysctl_perf_event_paranoid > 2;
++}
++
+ extern void perf_event_init(void);
+ extern void perf_tp_event(u16 event_type, u64 count, void *record,
+ 			  int entry_size, struct pt_regs *regs,
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 356a6c7..52bd100 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu;
+  *   0 - disallow raw tracepoint access for unpriv
+  *   1 - disallow cpu events for unpriv
+  *   2 - disallow kernel profiling for unpriv
++ *   3 - disallow all unpriv perf event use
+  */
+ int sysctl_perf_event_paranoid __read_mostly = 2;
+ 
+@@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	if (flags & ~PERF_FLAG_ALL)
+ 		return -EINVAL;
+ 
++	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++				return -EACCES;
++
+ 	err = perf_copy_attr(attr_uptr, &attr);
+ 	if (err)
+ 		return err;