Hi,
I need to lock down kprobes under secure boot conditions as part of the patch
series that can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down
Can you tell me that if the attached patch is sufficient to the cause?
Thanks,
David
---
commit ffb3484d6e0f1d625f8e84a6a19c139a28a52499
Author: David Howells <[email protected]>
Date: Wed Nov 8 16:14:12 2017 +0000
Lock down kprobes
Disallow the creation of kprobes when the kernel is locked down by
preventing their registration. This prevents kprobes from being used to
access kernel memory, either to make modifications or to steal crypto data.
Reported-by: Alexei Starovoitov <[email protected]>
Signed-off-by: David Howells <[email protected]>
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index a1606a4224e1..f06023b0936c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p)
struct module *probed_mod;
kprobe_opcode_t *addr;
+ if (kernel_is_locked_down("Use of kprobes"))
+ return -EPERM;
+
/* Adjust probe address from symbol */
addr = kprobe_addr(p);
if (IS_ERR(addr))
From 1583607638041240280@xxx Thu Nov 09 16:45:31 +0000 2017
X-GM-THRID: 1583515606617523183
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
I've extended the description and will repost.
David
From 1583603031363556215@xxx Thu Nov 09 15:32:18 +0000 2017
X-GM-THRID: 1583515606617523183
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
So this?
Thanks,
David
---
commit b5bb759d5e7f99c357b82b8066a9106b817de965
Author: David Howells <[email protected]>
Date: Wed Nov 8 16:14:12 2017 +0000
Lock down kprobes
Disallow the creation of kprobes when the kernel is locked down by
preventing their registration.
Signed-off-by: David Howells <[email protected]>
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index a1606a4224e1..f06023b0936c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p)
struct module *probed_mod;
kprobe_opcode_t *addr;
+ if (kernel_is_locked_down("Use of kprobes"))
+ return -EPERM;
+
/* Adjust probe address from symbol */
addr = kprobe_addr(p);
if (IS_ERR(addr))
From 1583516251548433154@xxx Wed Nov 08 16:32:58 +0000 2017
X-GM-THRID: 1583515606617523183
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
On Wed, Nov 08, 2017 at 04:21:33PM +0000, David Howells wrote:
> Hi,
>
> I need to lock down kprobes under secure boot conditions as part of the patch
> series that can be found here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down
>
> Can you tell me that if the attached patch is sufficient to the cause?
This will not prevent the raw kprobe events from working. If your
intention is to prevent *any* kprobe registration, the best place to do
that is in register_kprobe() in kernel/probes.c
Ananth
From 1583515606617523183@xxx Wed Nov 08 16:22:43 +0000 2017
X-GM-THRID: 1583515606617523183
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread