diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index c8c775d13..5fc3e3d89 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
 
 # Include PID in file names of generated core dumps
 kernel.core_uses_pid = 1
+
+# Block non-uid-0 profiling
+kernel.perf_event_paranoid = 3
diff --git a/lfs/linux b/lfs/linux
index bd9e0cc65..018892f7f 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -137,6 +137,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# fix Boot with enabled usercopy hardening
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
 
+	# Patch performance monitoring restrictions to allow further hardening
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
new file mode 100644
index 000000000..8a578e01c
--- /dev/null
+++ b/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
@@ -0,0 +1,75 @@
+From: Jeff Vander Stoep <jeffv@google.com>
+Date: Wed, 27 Jul 2016 07:45:46 -0700
+Message-Id: <1469630746-32279-1-git-send-email-jeffv@google.com>
+Subject: [kernel-hardening] [PATCH 1/2] security,
+	perf: allow further restriction of perf_event_open
+
+When kernel.perf_event_paranoid is set to 3 (or greater), disallow
+all access to performance events by users without CAP_SYS_ADMIN.
+
+This new level of restriction is intended to reduce the attack
+surface of the kernel. Perf is a valuable tool for developers but
+is generally unnecessary and unused on production systems. Perf may
+open up an attack vector to vulnerable device-specific drivers as
+recently demonstrated in CVE-2016-0805, CVE-2016-0819,
+CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of
+restriction allows for a safe default to be set on production systems
+while leaving a simple means for developers to grant access [1].
+
+This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad
+Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches
+have been modified and split up to address on-list feedback.
+
+kernel.perf_event_paranoid=3 is the default on both Debian [2] and
+Android [3].
+
+[1] Making perf available to developers on Android:
+https://android-review.googlesource.com/#/c/234400/
+[2] Original patch by Ben Hutchings:
+https://lkml.org/lkml/2016/1/11/587
+[3] https://android-review.googlesource.com/#/c/234743/
+
+Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+---
+ Documentation/sysctl/kernel.txt | 1 +
+ include/linux/perf_event.h      | 5 +++++
+ kernel/events/core.c            | 4 ++++
+ 3 files changed, 10 insertions(+)
+
+diff -Naur linux-5.15.22.orig/include/linux/perf_event.h linux-5.15.22/include/linux/perf_event.h
+--- linux-5.15.22.orig/include/linux/perf_event.h	2022-02-11 15:39:26.163576222 +0000
++++ linux-5.15.22/include/linux/perf_event.h	2022-02-11 15:42:16.719697397 +0000
+@@ -1346,6 +1346,11 @@
+ 	return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT);
+ }
+ 
++static inline bool perf_paranoid_any(void)
++{
++	return sysctl_perf_event_paranoid > 2;
++}
++
+ extern void perf_event_init(void);
+ extern void perf_tp_event(u16 event_type, u64 count, void *record,
+ 			  int entry_size, struct pt_regs *regs,
+diff -Naur linux-5.15.22.orig/kernel/events/core.c linux-5.15.22/kernel/events/core.c
+--- linux-5.15.22.orig/kernel/events/core.c	2022-02-11 15:39:27.667683028 +0000
++++ linux-5.15.22/kernel/events/core.c	2022-02-11 15:42:16.723697680 +0000
+@@ -414,6 +414,7 @@
+  *   0 - disallow raw tracepoint access for unpriv
+  *   1 - disallow cpu events for unpriv
+  *   2 - disallow kernel profiling for unpriv
++ *   3 - disallow all unpriv perf event use
+  */
+ int sysctl_perf_event_paranoid __read_mostly = 2;
+ 
+@@ -12090,6 +12091,9 @@
+ 	if (err)
+ 		return err;
+ 
++	if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++				return -EACCES;
++
+ 	err = perf_copy_attr(attr_uptr, &attr);
+ 	if (err)
+ 		return err;