Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160617200050.GL13337@kernel.org>
Date: Fri, 17 Jun 2016 17:00:50 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Daniel Micay <danielmicay@...il.com>
Cc: kernel-hardening@...ts.openwall.com, Kees Cook <keescook@...omium.org>,
	Ingo Molnar <mingo@...nel.org>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	linux-doc@...r.kernel.org, Jiri Olsa <jolsa@...nel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Namhyung Kim <namhyung@...nel.org>, David Ahern <dsahern@...il.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] security,perf: Allow further
 restriction of perf_event_open

Em Fri, Jun 17, 2016 at 12:16:47PM -0400, Daniel Micay escreveu:
> On Fri, 2016-06-17 at 08:54 +0200, Peter Zijlstra wrote:
> > This Changelog is completely devoid of information. _WHY_ are you
> > doing this?
 
> Attack surface reduction. It's possible to use seccomp-bpf for some
> limited cases, but it's not flexible enough. There are lots of
> information leaks and local privilege escalation vulnerabilities via
> perf events, yet on most Linux installs it's not ever being used. So
> turning it off by default on those installs is an easy win. The holes
> are reduced to root -> kernel (and that's not a meaningful boundary in
> mainline right now - although as is the case here, Debian has a bunch of
> securelevel patches for that).

Is ptrace also disabled on such systems, or any of the other more recent
syscalls? The same arguments could probably be used to disable those:
reduce attack surface, possibly the new ones have bugs as they are
relatively new and it takes a long time for new syscalls to be more
generally used, if we go on disabling them in such a way, they will
probably never get used :-\

Wouldn't the recent bump in perf_event_paranoid to 2 enough? I.e. only
allow profiling of user tasks?

Or is there something more specific that we should disable/constrain to
reduce such surface contact without using such a big hammer?

- Arnaldo

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.