Received: by 10.213.65.68 with SMTP id h4csp3662868imn;
        Tue, 3 Apr 2018 08:43:35 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/BwYoDVSMntWum2+eaHbGxjpirMcXlbDxsrLKfIDmrIhG8c/biTQjwlyu1jqLxSnhtQEh7
X-Received: by 10.99.45.131 with SMTP id t125mr9351129pgt.267.1522770215360;
        Tue, 03 Apr 2018 08:43:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522770215; cv=none;
        d=google.com; s=arc-20160816;
        b=tgfDxRlCgrvMkdztJzVNvwDdoMAaeE71pHIHT94RocdFVw8C+C0RGD2KLo9ojMpyre
         mEzd1bKfRh4xsnAgL3qiYUhmLmA/44KOz/b6NERsIY8ChIiYcpY7D7mtkFuPUb33Oho1
         Nu/U8UEX2uRq8WJLKEOR3tRd4oI2Ejyw1DHlrPbZvtkYnrH41nWsk690dmcumupHiryh
         5LxdwKahb1Cboj/62hdtfuUNljmreAiszgmj9VHdJP4ZiIY/EyVzKIZZSSJjJ011VHbO
         bLr2YHBstQWIqir3sZ+dTgx25iItb9uRSws753IG93dDKAtmXUIGhjhFECth18qO3Fe1
         w4Mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=cVfIfyd9aGMI/fv/tEdAT4LH9dOLvqHA/a7jrg0fQfc=;
        b=UsbKJSxb1g3iS72oIitlfKZ7J99Y2xNxGcd8B8wlz6UxMIv0MQZUz4QqkiuhbaocEQ
         FTXWarNv6Tq4KirujjHeL5QufwPlNUlKPtUWAiWSB2KikGjQOlBWKDSWoYrx5R7nQ3Ov
         XwHHtF+ME4XPc0oLbPKuQ57Fdy33AgmVfOyeEp9wCCKnnuEHmJaia6CV68OLV5ayhfmj
         YPop7O4J78tD9cGxIsvyb/YyHMb2pd/G5caJ9D+o3BOpXDcWYbzIGlVBYcl2BeXqOC5X
         01kwnhllWmIF+NsVmfV+XpVzg/fCEouVSPcskaO3qNHyQxrDG4cvTRFfBcHnYSJPn8rM
         ndsw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PEbes7Xn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m5si2119496pgt.554.2018.04.03.08.43.20;
        Tue, 03 Apr 2018 08:43:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PEbes7Xn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751649AbeDCPmE (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Tue, 3 Apr 2018 11:42:04 -0400
Received: from mail-pl0-f66.google.com ([209.85.160.66]:34482 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751223AbeDCPmB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 11:42:01 -0400
Received: by mail-pl0-f66.google.com with SMTP id u11-v6so9362676plq.1;
        Tue, 03 Apr 2018 08:42:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=cVfIfyd9aGMI/fv/tEdAT4LH9dOLvqHA/a7jrg0fQfc=;
        b=PEbes7XnFprTCwepBE5jgAIR9z0rLChPGWu97i2Qr0uy5C6aEWNMhD2F+Rhj2RjXsW
         IhdCkLNnaj4aDbGwBCSzeAPxYGd182yTYhfe0SDVxDBXUqCx5PHhMHtISLX0jaB3rhXy
         IrU7BzeG6WdMLhjcgUaX1SF/2ALDYAaeWrPetvg2sldKk6erQ6pdwviZdi4+bDvDhoX+
         HPYYbevMyrtN8EZ59r4HFgNj6nY4Wosuug4vKpHV6+czL9+XtSwe8pkCgso+bMzyjV6Z
         QNDxvucn/+bi1YLNMUpHSgMKEzRZdHWhSOjZgj6V6KiAuBL2ZjYoW1zyIi9Rq6/DaUsc
         trbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=cVfIfyd9aGMI/fv/tEdAT4LH9dOLvqHA/a7jrg0fQfc=;
        b=b8mD8Npp63HTBymNVcnJ6iydjrr1C6+tfO2abGtX7E4EH0vv00y+uMs1nhaMqJh7kQ
         TTnIQuMO7QfX0dxFhBt1HuYs/vgn666iE0Kd2m8JMix60M+8fWtnNzGxXQzVQEX6ETV3
         eVJdJeva90iuw4u1KrTyV/wJbSK/0dzEaXjzJHhVg1tOALpSUYGpWJa0nBL+VD6NuRNF
         DNW8JozOmq6k5yMh9MZbG8UdNTw53mFJp43sxfWK7q10QHV2+TLX23symC3/qEKJ+NVo
         io91qlLCcy4VUj+hcDP1AFsg5QZisJjUAehW3n+ED/YSlxjfXoQkW+LiHQHVouHMTt01
         8ndg==
X-Gm-Message-State: AElRT7FgZ7OyRI2+GziIJTHNCbwshd5saNelPUaEH3GxmNwIcVzahNXa
        BR7LDqm82TRvPUz0NIGHL/A=
X-Received: by 2002:a17:902:274a:: with SMTP id j10-v6mr14337778plg.28.1522770120973;
        Tue, 03 Apr 2018 08:42:00 -0700 (PDT)
Received: from ast-mbp.dhcp.thefacebook.com ([2620:10d:c090:200::5:d2ef])
        by smtp.gmail.com with ESMTPSA id x14sm6203778pgo.82.2018.04.03.08.41.59
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 03 Apr 2018 08:42:00 -0700 (PDT)
Date:   Tue, 3 Apr 2018 08:41:58 -0700
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
To:     Andy Lutomirski <luto@kernel.org>
Cc:     David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Matthew Garrett <mjg59@google.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
Message-ID: <20180403154156.f37wrzjhuvijzi2i@ast-mbp.dhcp.thefacebook.com>
References: <4136.1522452584@warthog.procyon.org.uk>
 <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org>
 <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
User-Agent: NeoMutt/20180223
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 03, 2018 at 08:11:07AM -0700, Andy Lutomirski wrote:
> >
> >> "bpf: Restrict kernel image access functions when the kernel is locked down":
> >> This patch just sucks in general.
> >
> > Yes - but that's what Alexei Starovoitov specified.  bpf kind of sucks since
> > it gives you unrestricted access to the kernel.
> 
> bpf, in certain contexts, gives you unrestricted access to *reading*
> kernel memory.  bpf should, under no circumstances, let you write to
> the kernel unless you're using fault injection or similar.
> 
> I'm surprised that Alexei acked this patch.  If something like XDP or
> bpfilter starts becoming widely used, this patch will require a lot of
> reworking to avoid breaking standard distros.

my understanding was that this lockdown set attemps to disallow _reads_
of kernel memory from anything, so first version of patch was adding
run-time checks for bpf_probe_read() which is no-go
and without this helper the bpf for tracing is losing a lot of its power,
so the easiest is to disable it all.
I think lockdown suppose to disable xdp, bpfilter, nflog, raw sockets + pcap too
otherwise even cap_net_admin can see traffic coming into host.
Similarly kprobe, perf_event, ftrace should be off as well?