does this upstream change replace the sauce patch?
commit da97e18458fb42d7c00fac5fd1c56a3896ec666e
Author: Joel Fernandes (Google) <email address hidden>
Date: Mon Oct 14 13:03:08 2019 -0400
perf_event: Add support for LSM and SELinux checks
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl). Additionally, I added an 'open' type which is similar to perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <email address hidden>
Co-developed-by: Peter Zijlstra <email address hidden>
Signed-off-by: Joel Fernandes (Google) <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Acked-by: James Morris <email address hidden>
Cc: Arnaldo Carvalho de Melo <email address hidden>
Cc: <email address hidden>
Cc: Yonghong Song <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: Ingo Molnar <email address hidden>
Cc: Alexei Starovoitov <email address hidden>
Cc: <email address hidden>
Cc: Jiri Olsa <email address hidden>
Cc: Daniel Borkmann <email address hidden>
Cc: <email address hidden>
Cc: Song Liu <email address hidden>
Cc: <email address hidden>
Cc: Namhyung Kim <email address hidden>
Cc: Matthew Garrett <email address hidden>
Link: https://<email address hidden>
does this upstream change replace the sauce patch?
commit da97e18458fb42d 7c00fac5fd1c56a 3896ec666e
Author: Joel Fernandes (Google) <email address hidden>
Date: Mon Oct 14 13:03:08 2019 -0400
perf_event: Add support for LSM and SELinux checks
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
perf_event_ paranoid sysctl is checked to keep it consistent with the
Additionally, I added an 'open' type which is similar to
perf_event_ paranoid sysctl == 3 patch carried in Android and several other
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https:/ /lwn.net/ Articles/ 696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <email address hidden> developed- by: Peter Zijlstra <email address hidden>
Co-
Signed-off-by: Joel Fernandes (Google) <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Acked-by: James Morris <email address hidden>
Cc: Arnaldo Carvalho de Melo <email address hidden>
Cc: <email address hidden>
Cc: Yonghong Song <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: Ingo Molnar <email address hidden>
Cc: Alexei Starovoitov <email address hidden>
Cc: <email address hidden>
Cc: Jiri Olsa <email address hidden>
Cc: Daniel Borkmann <email address hidden>
Cc: <email address hidden>
Cc: Song Liu <email address hidden>
Cc: <email address hidden>
Cc: Namhyung Kim <email address hidden>
Cc: Matthew Garrett <email address hidden>
Link: https://<email address hidden>