diff mbox series

[SRU,Bionic/linux-raspi2,1/1] UBUNTU: [Config]: set CONFIG_SECURITY_PERF_EVENTS_RESTRICT

Message ID 20201126205206.2463398-2-cascardo@canonical.com
State New
Headers show
Series Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT | expand

Commit Message

Thadeu Lima de Souza Cascardo Nov. 26, 2020, 8:52 p.m. UTC
BugLink: https://bugs.launchpad.net/bugs/1905786

perf_event_open should be restricted by default, meaning that users should not
be able to use perf, unless they are privileged (have CAP_SYS_ADMIN), or change
/proc/sys/kernel/perf_event_paranoid to -1.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 debian.raspi2/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader Nov. 27, 2020, 7:43 a.m. UTC | #1
On 26.11.20 21:52, Thadeu Lima de Souza Cascardo wrote:
> BugLink: https://bugs.launchpad.net/bugs/1905786
> 
> perf_event_open should be restricted by default, meaning that users should not
> be able to use perf, unless they are privileged (have CAP_SYS_ADMIN), or change
> /proc/sys/kernel/perf_event_paranoid to -1.
> 
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
Acked-by: Stefan Bader <stefan.bader@canonical.com>
>  debian.raspi2/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian.raspi2/config/config.common.ubuntu b/debian.raspi2/config/config.common.ubuntu
> index f83fb889e365..b2098cb63c59 100644
> --- a/debian.raspi2/config/config.common.ubuntu
> +++ b/debian.raspi2/config/config.common.ubuntu
> @@ -5018,7 +5018,7 @@ CONFIG_SECURITY_DEFAULT_DISPLAY_NAME="apparmor"
>  CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_NETWORK_XFRM=y
>  CONFIG_SECURITY_PATH=y
> -# CONFIG_SECURITY_PERF_EVENTS_RESTRICT is not set
> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>
Ian May Dec. 18, 2020, 9:13 p.m. UTC | #2
Applied to bionic/linux-raspi2

Thanks,
Ian

On 2020-11-26 17:52:06 , Thadeu Lima de Souza Cascardo wrote:
> BugLink: https://bugs.launchpad.net/bugs/1905786
> 
> perf_event_open should be restricted by default, meaning that users should not
> be able to use perf, unless they are privileged (have CAP_SYS_ADMIN), or change
> /proc/sys/kernel/perf_event_paranoid to -1.
> 
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  debian.raspi2/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian.raspi2/config/config.common.ubuntu b/debian.raspi2/config/config.common.ubuntu
> index f83fb889e365..b2098cb63c59 100644
> --- a/debian.raspi2/config/config.common.ubuntu
> +++ b/debian.raspi2/config/config.common.ubuntu
> @@ -5018,7 +5018,7 @@ CONFIG_SECURITY_DEFAULT_DISPLAY_NAME="apparmor"
>  CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_NETWORK_XFRM=y
>  CONFIG_SECURITY_PATH=y
> -# CONFIG_SECURITY_PERF_EVENTS_RESTRICT is not set
> +CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> -- 
> 2.27.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/debian.raspi2/config/config.common.ubuntu b/debian.raspi2/config/config.common.ubuntu
index f83fb889e365..b2098cb63c59 100644
--- a/debian.raspi2/config/config.common.ubuntu
+++ b/debian.raspi2/config/config.common.ubuntu
@@ -5018,7 +5018,7 @@  CONFIG_SECURITY_DEFAULT_DISPLAY_NAME="apparmor"
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
-# CONFIG_SECURITY_PERF_EVENTS_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y