Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Daniel Micay
On Fri, 2016-06-17 at 17:00 -0300, Arnaldo Carvalho de Melo wrote: > Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > > This Changelog is completely devoid of information. _WHY_ are you > > > doing this? >   > >

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Daniel Micay
On Fri, 2016-06-17 at 17:00 -0300, Arnaldo Carvalho de Melo wrote: > Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > > This Changelog is completely devoid of information. _WHY_ are you > > > doing this? >   > >

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Arnaldo Carvalho de Melo
Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > This Changelog is completely devoid of information. _WHY_ are you > > doing this? > Attack surface reduction. It's possible to use seccomp-bpf for some > limited cases,

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Arnaldo Carvalho de Melo
Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu: > On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > > This Changelog is completely devoid of information. _WHY_ are you > > doing this? > Attack surface reduction. It's possible to use seccomp-bpf for some > limited cases,

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Daniel Micay
On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > > Hi guys, > > > > This patch wasn't originally CCed to you (I'm fixing that now). > > Would > > you consider taking this into the perf tree?  > > No. > > > It's been in

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Daniel Micay
On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote: > On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > > Hi guys, > > > > This patch wasn't originally CCed to you (I'm fixing that now). > > Would > > you consider taking this into the perf tree?  > > No. > > > It's been in

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Peter Zijlstra
On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > Hi guys, > > This patch wasn't originally CCed to you (I'm fixing that now). Would > you consider taking this into the perf tree? No. > It's been in active use > in both Debian and Android for a while now. Very nice of you all to

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-17 Thread Peter Zijlstra
On Thu, Jun 16, 2016 at 03:27:55PM -0700, Kees Cook wrote: > Hi guys, > > This patch wasn't originally CCed to you (I'm fixing that now). Would > you consider taking this into the perf tree? No. > It's been in active use > in both Debian and Android for a while now. Very nice of you all to

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-16 Thread Kees Cook
Hi guys, This patch wasn't originally CCed to you (I'm fixing that now). Would you consider taking this into the perf tree? It's been in active use in both Debian and Android for a while now. (If need be, I can resend it.) Thanks! -Kees On Sat, Jun 4, 2016 at 1:49 PM, Jeffrey Vander Stoep

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-16 Thread Kees Cook
Hi guys, This patch wasn't originally CCed to you (I'm fixing that now). Would you consider taking this into the perf tree? It's been in active use in both Debian and Android for a while now. (If need be, I can resend it.) Thanks! -Kees On Sat, Jun 4, 2016 at 1:49 PM, Jeffrey Vander Stoep

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-04 Thread Jeffrey Vander Stoep
Acked-by: Jeff Vander Stoep In addition to Debian, this patch has been merged into AOSP and is a requirement for Android: https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-06-04 Thread Jeffrey Vander Stoep
Acked-by: Jeff Vander Stoep In addition to Debian, this patch has been merged into AOSP and is a requirement for Android: https://android-review.googlesource.com/#/q/topic:CONFIG_SECURITY_PERF_EVENTS_RESTRICT On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook wrote: > On Mon, Jan 11, 2016 at 7:23 AM,

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-04-13 Thread Kees Cook
On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings wrote: > When kernel.perf_event_open is set to 3 (or greater), disallow all > access to performance events by users without CAP_SYS_ADMIN. > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > makes this value the

Re: [kernel-hardening] [PATCH 2/2] security,perf: Allow further restriction of perf_event_open

2016-04-13 Thread Kees Cook
On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings wrote: > When kernel.perf_event_open is set to 3 (or greater), disallow all > access to performance events by users without CAP_SYS_ADMIN. > Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that > makes this value the default. > > This is