Received: by 10.192.165.156 with SMTP id m28csp935266imm; Wed, 11 Apr 2018 09:30:59 -0700 (PDT) X-Google-Smtp-Source: AIpwx48O/x1AROhjskOLTbvsOJMjDgxUZoFdmPrzm2mlRJFqSzLFKvTHOVoZIoCci+MtSVAkO5P2 X-Received: by 2002:a17:902:244:: with SMTP id 62-v6mr5902837plc.125.1523464259247; Wed, 11 Apr 2018 09:30:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523464259; cv=none; d=google.com; s=arc-20160816; b=pF5XfYaHuy+DpsQKmg0KiLKZ2SvTqBDMDh/p2pz83Q+E4vIMxGb55rmJqgwk14kiPD 3GRz3xOq9WRije+//FAoheZ9FKJIDTK1Q+A3d3Fsq8t9niUxWaD4miQJ5NxYg4buv6Ci JNARvE9u5CmcwthKUR69g5rUWHwsHt4EnfJnSwq2BGwCE5ONxX3/hdgR02xek8TfBZ3+ AzrlE8Y1wh3DU3wf31TTbYdl+8wspuNA6j9+FE6RWACjTMCYI1akJ+VTtWkDE/rU9PMn j1vfSrPtidXYEHtG9tg5hJq+TrvJuuAH6pexbj2PSvN/8XO80dsgHrtyx5J3KmIkksst UpkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=e4LaaXnfi72BQCvU14a5fIHyNAEd7wXg7t00cVOWA6U=; b=TM2ORMJgbnA3wofv5wcQf5bRXqSnMvEmOIYLC3Yw1EljU/e7lRAd0oAu4Z/qUU9PPE b5Cc+Pzl34xwpRUfnU/JUa1eVTxqGWKtgto7ONDezbAM6kNLVX9J6sGT/OdaGCuiDxve cThi4CsQBq3mBBdXueqhUnKEbm2DeZNxh734YfbxzoDaSB50AxVsaQvdeKXjNqZ9DFVi RyKW3I7CPJ5/9fDH6w1Hu93pg5vK5RcNzd7Fw5jfGcOBMxsc+K3xpu4DpmCl9GY9CbcF in4jUQys1rbaemcHLxHQNHC5J2ZE9GdoT0gvyJD2zDILt+9QnFjnmNHmhE2KIo9CZMDR GCoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t3si959852pgs.763.2018.04.11.09.30.21; Wed, 11 Apr 2018 09:30:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754357AbeDKQ1B (ORCPT + 99 others); Wed, 11 Apr 2018 12:27:01 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:54094 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753416AbeDKQ06 (ORCPT ); Wed, 11 Apr 2018 12:26:58 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E36B9400ADC6; Wed, 11 Apr 2018 16:26:57 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-8.rdu2.redhat.com [10.10.120.8]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1A5C4215CDAF; Wed, 11 Apr 2018 16:26:57 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 21/24] Lock down kprobes From: David Howells To: torvalds@linux-foundation.org Cc: linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org Date: Wed, 11 Apr 2018 17:26:55 +0100 Message-ID: <152346401560.4030.11136333491983876306.stgit@warthog.procyon.org.uk> In-Reply-To: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 11 Apr 2018 16:26:57 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 11 Apr 2018 16:26:57 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 102160ff5c66..4f5757732553 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr))