From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org,
gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, jforbes@redhat.com,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org
Subject: Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down
Date: Thu, 19 Oct 2017 15:18:30 -0700 [thread overview]
Message-ID: <20171019221829.7m5nczg3ltqmhzom@ast-mbp> (raw)
In-Reply-To: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk>
On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote:
> From: Chun-Yi Lee <jlee@suse.com>
>
> There are some bpf functions can be used to read kernel memory:
> bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
> private keys in kernel memory (e.g. the hibernation image signing key) to
> be read by an eBPF program. Prohibit those functions when the kernel is
> locked down.
>
> Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: netdev@vger.kernel.org
> ---
>
> kernel/trace/bpf_trace.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index dc498b605d5d..35e85a3fdb37 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
> {
> int ret;
>
> + if (kernel_is_locked_down("BPF")) {
> + memset(dst, 0, size);
> + return -EPERM;
> + }
That doesn't help the lockdown purpose.
If you don't trust the root the only way to prevent bpf read
memory is to disable the whole thing.
Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down()
and don't add overhead to critical path like bpf_probe_read().
next parent reply other threads:[~2017-10-19 22:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk>
[not found] ` <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk>
2017-10-19 22:18 ` Alexei Starovoitov [this message]
2017-10-19 22:48 ` [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down David Howells
[not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee
2017-10-23 14:53 ` David Howells
[not found] ` <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-25 7:07 ` joeyli
2017-10-20 23:00 ` Alexei Starovoitov
2017-10-23 14:51 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171019221829.7m5nczg3ltqmhzom@ast-mbp \
--to=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jforbes@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox