add a property for controlling perf_event_paranoid

This adds a system property for controlling unprivileged access to perf_event_paranoid. It depends on adding kernel support for perf_event_paranoid=3 based on grsecurity's PERF_HARDEN feature to completely disable unprivileged access to perf. A minimal port of this feature is used in the vanilla Debian kernel by default. It hides the non-hardened value as an implementation detail, since while it is currently 1, it will probably become 2 in the future. (Cherry picked from commit 2b22a663) Bug: 29054680 Change-Id: I6e3ae3cf18d8c76df94f879c34fb6fde519b89a9

add a property for controlling perf_event_paranoid
5ed57a75 · Daniel Micay · The Android Automerger · b7cc19c9 · 5ed57a75
Commit 5ed57a75 authored 9 years ago by Daniel Micay Committed by The Android Automerger 8 years ago
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -544,6 +544,11 @@ on property:sys.sysctl.extra_free_kbytes=*
 on property:sys.sysctl.tcp_def_init_rwnd=*
    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
+on property:security.perf_harden=0
+    write /proc/sys/kernel/perf_event_paranoid 1
+on property:security.perf_harden=1
+    write /proc/sys/kernel/perf_event_paranoid 3
 ## Daemon processes to be run by init.
 ##