path: root/security/security.c
diff options
authorJoel Fernandes (Google) <>2019-10-14 13:03:08 -0400
committerPeter Zijlstra <>2019-10-17 21:31:55 +0200
commitda97e18458fb42d7c00fac5fd1c56a3896ec666e (patch)
tree0e74fd18802e470e1ec42148bd278a28c99d1655 /security/security.c
parent39b656ee9f2ce41eb969c86525f9a2a63fefac5b (diff)
perf_event: Add support for LSM and SELinux checks
In current mainline, the degree of access to perf_event_open(2) system call depends on the perf_event_paranoid sysctl. This has a number of limitations: 1. The sysctl is only a single value. Many types of accesses are controlled based on the single value thus making the control very limited and coarse grained. 2. The sysctl is global, so if the sysctl is changed, then that means all processes get access to perf_event_open(2) opening the door to security issues. This patch adds LSM and SELinux access checking which will be used in Android to access perf_event_open(2) for the purposes of attaching BPF programs to tracepoints, perf profiling and other operations from userspace. These operations are intended for production systems. 5 new LSM hooks are added: 1. perf_event_open: This controls access during the perf_event_open(2) syscall itself. The hook is called from all the places that the perf_event_paranoid sysctl is checked to keep it consistent with the systctl. The hook gets passed a 'type' argument which controls CPU, kernel and tracepoint accesses (in this context, CPU, kernel and tracepoint have the same semantics as the perf_event_paranoid sysctl). Additionally, I added an 'open' type which is similar to perf_event_paranoid sysctl == 3 patch carried in Android and several other distros but was rejected in mainline [1] in 2016. 2. perf_event_alloc: This allocates a new security object for the event which stores the current SID within the event. It will be useful when the perf event's FD is passed through IPC to another process which may try to read the FD. Appropriate security checks will limit access. 3. perf_event_free: Called when the event is closed. 4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event. 5. perf_event_write: Called from the ioctl(2) syscalls for the event. [1] Since Peter had suggest LSM hooks in 2016 [1], I am adding his Suggested-by tag below. To use this patch, we set the perf_event_paranoid sysctl to -1 and then apply selinux checking as appropriate (default deny everything, and then add policy rules to give access to domains that need it). In the future we can remove the perf_event_paranoid sysctl altogether. Suggested-by: Peter Zijlstra <> Co-developed-by: Peter Zijlstra <> Signed-off-by: Joel Fernandes (Google) <> Signed-off-by: Peter Zijlstra (Intel) <> Acked-by: James Morris <> Cc: Arnaldo Carvalho de Melo <> Cc: Cc: Yonghong Song <> Cc: Kees Cook <> Cc: Ingo Molnar <> Cc: Alexei Starovoitov <> Cc: Cc: Jiri Olsa <> Cc: Daniel Borkmann <> Cc: Cc: Song Liu <> Cc: Cc: Namhyung Kim <> Cc: Matthew Garrett <> Link:
Diffstat (limited to 'security/security.c')
1 files changed, 27 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 1bc000f834e2..cd2d18d2d279 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2404,3 +2404,30 @@ int security_locked_down(enum lockdown_reason what)
return call_int_hook(locked_down, 0, what);
+int security_perf_event_open(struct perf_event_attr *attr, int type)
+ return call_int_hook(perf_event_open, 0, attr, type);
+int security_perf_event_alloc(struct perf_event *event)
+ return call_int_hook(perf_event_alloc, 0, event);
+void security_perf_event_free(struct perf_event *event)
+ call_void_hook(perf_event_free, event);
+int security_perf_event_read(struct perf_event *event)
+ return call_int_hook(perf_event_read, 0, event);
+int security_perf_event_write(struct perf_event *event)
+ return call_int_hook(perf_event_write, 0, event);
+#endif /* CONFIG_PERF_EVENTS */