| # |
| # grecurity configuration |
| # |
| config GRKERNSEC_PERF_HARDEN |
| bool "Disable unprivileged PERF_EVENTS usage by default" |
| depends on PERF_EVENTS |
| help |
| If you say Y here, the range of acceptable values for the |
| /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and |
| default to a new value: 3. When the sysctl is set to this value, no |
| unprivileged use of the PERF_EVENTS syscall interface will be permitted. |
| |
| Though PERF_EVENTS can be used legitimately for performance monitoring |
| and low-level application profiling, it is forced on regardless of |
| configuration, has been at fault for several vulnerabilities, and |
| creates new opportunities for side channels and other information leaks. |
| |
| This feature puts PERF_EVENTS into a secure default state and permits |
| the administrator to change out of it temporarily if unprivileged |
| application profiling is needed. |
| |
