From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754323AbdJSWSf (ORCPT ); Thu, 19 Oct 2017 18:18:35 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:51244 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753310AbdJSWSc (ORCPT ); Thu, 19 Oct 2017 18:18:32 -0400 X-Google-Smtp-Source: ABhQp+SSzOwH2d5OgykpxOmG0FeEu5DpwOcRfgWsjarBsQMksXKX9sVUlpa6rkAhsR4ikvfkwqA8HQ== Date: Thu, 19 Oct 2017 15:18:30 -0700 From: Alexei Starovoitov To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, matthew.garrett@nebula.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com, Daniel Borkmann , "David S. Miller" , netdev@vger.kernel.org Subject: Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down Message-ID: <20171019221829.7m5nczg3ltqmhzom@ast-mbp> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation image signing key) to > be read by an eBPF program. Prohibit those functions when the kernel is > locked down. > > Signed-off-by: Chun-Yi Lee > Signed-off-by: David Howells > cc: netdev@vger.kernel.org > --- > > kernel/trace/bpf_trace.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index dc498b605d5d..35e85a3fdb37 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > { > int ret; > > + if (kernel_is_locked_down("BPF")) { > + memset(dst, 0, size); > + return -EPERM; > + } That doesn't help the lockdown purpose. If you don't trust the root the only way to prevent bpf read memory is to disable the whole thing. Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() and don't add overhead to critical path like bpf_probe_read(). From mboxrd@z Thu Jan 1 00:00:00 1970 From: alexei.starovoitov@gmail.com (Alexei Starovoitov) Date: Thu, 19 Oct 2017 15:18:30 -0700 Subject: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down In-Reply-To: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> Message-ID: <20171019221829.7m5nczg3ltqmhzom@ast-mbp> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation image signing key) to > be read by an eBPF program. Prohibit those functions when the kernel is > locked down. > > Signed-off-by: Chun-Yi Lee > Signed-off-by: David Howells > cc: netdev at vger.kernel.org > --- > > kernel/trace/bpf_trace.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index dc498b605d5d..35e85a3fdb37 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > { > int ret; > > + if (kernel_is_locked_down("BPF")) { > + memset(dst, 0, size); > + return -EPERM; > + } That doesn't help the lockdown purpose. If you don't trust the root the only way to prevent bpf read memory is to disable the whole thing. Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() and don't add overhead to critical path like bpf_probe_read(). -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html