Change kernel.perf_event_paranoid sysctl to 2
From the kernel documentation on core kernel sysctls:
perf_event_paranoid:
Controls use of the performance events system by unprivileged
users (without CAP_SYS_ADMIN). The default value is 1.
-1: Allow use of (almost) all events by all users
>=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
>=1: Disallow CPU event access by users without CAP_SYS_ADMIN
>=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
The current default value for the Tails kernel.perf_event_paranoid sysctl
is 1 (the Debian default). This means that kernel profiling is
enabled for all users, even without CAP_SYS_ADMIN
. The perf subsystem
has a huge history of privesc vunerabilities. I propose we change this
sysctl to 2, as Tails users do not need to do kernel profiling as a the
amnesia user. This will be as simple as creating a file,
/etc/sysctl.d/perf_event_paranoid.conf
, containing the value
kernel.perf_event_paranoid=2
.
Feature Branch: feature/11421-Change-kernel.perf_event_paranoid-sysctl-2
Related issues
- Related to #11511 (closed)
Original created by @cypherpunks on 11421 (Redmine)