Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp43086imb; Thu, 28 Feb 2019 15:25:04 -0800 (PST) X-Google-Smtp-Source: APXvYqxFGoEr0qiXCvpNaPSidWNur12Lkd3fQ1iWr1sBTpNnurEzDpdRkQzcdyMXNt/aj25Hdy4I X-Received: by 2002:a63:2ad4:: with SMTP id q203mr1762306pgq.43.1551396304428; Thu, 28 Feb 2019 15:25:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551396304; cv=none; d=google.com; s=arc-20160816; b=bOK3vIUo4wi5tqFQ/8Zm4RcNWAKXXoR3q+LVK3cHoHD1pFIFe2MI/sPB59dAuFlHjn ulbnSNa73ta2ysz1zIPJ2CSOgAwyzn9Yxf7pxfuywtD3bw0gZAVXZiWwLb5n5+H76RBT zdcRVPJe8oDi6J2p7FGjpQbbTCvORxu0SEzPpuQMjgHB+hgtDUTv7yFtUZd7TuIKwBiO nKVzulpgmX2JLkk5OlMGBTnU3O4PAeYOkvqwcwN/mzoyjeMGbqDsToYjosLshvdJ6Mt9 48bIruEhyAYzIdrlb7yUXJ0eeetYvdlDCdKny79kSyJ7bfpqZghiv8spsj9jFjiTzPTX yk0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=; b=TfaRtcZqSElADsKbXN1rQHSpBLxXML6AjbjjnzJefvY77xZ1kqiTiag7+wYJ2suw0y AHSYVT0pwHgNMzDJTiMYJd7Wb2HlpY2uGy9lSsTtIqp5b5uTo5b3buZCCWpQ/zZLJ1Ns khq5tusETqlxsjr8qR3N8VTW8WBCOL3DXeGH6lWm8l6U8v8ciCEDoMws9OGICJwR35hq KseoUwnEIKbvVgwgSq8hYmEyFNGcg45r7dHY2kfYeaz5a6tS3JGCEzfcikGVvl7WxYjd guf8N4ouFD3dnHl0reUKnhVtcXn3360NFxXHWbdPkdW9BgE91gmqYc5nY2efEpyq847d AVuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sbWK4YE0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si19326159pla.155.2019.02.28.15.24.48; Thu, 28 Feb 2019 15:25:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sbWK4YE0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388151AbfB1XNh (ORCPT + 99 others); Thu, 28 Feb 2019 18:13:37 -0500 Received: from mail-oi1-f201.google.com ([209.85.167.201]:55466 "EHLO mail-oi1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388152AbfB1XNH (ORCPT ); Thu, 28 Feb 2019 18:13:07 -0500 Received: by mail-oi1-f201.google.com with SMTP id i67so7287178oia.22 for ; Thu, 28 Feb 2019 15:13:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=; b=sbWK4YE0HC80ETP/khZWToJ0cY/+JZs2pKZzeqO1jHXpQLJR84Q1N85z026hYQyuB3 LeV0T57ywlzszxahT2vl/qZUIVwhBikEiOeJ0MbD+DOwdCmXusrvPnZMVNg6l1tievGR f8FKwhIb0yArv5Q4zkGy69wseUmP6EnDPUmydSvSYXVyM8Bs5Db1sLbsk66kaL63Nr7U 4GZ4DhjEzgipUCGH8blHScAGTgIWf+FjggAhdKmeUbv42UA1ivgbihlAxXVyeRj75ZSu b+bLBp03z512RhDnhKfLybHJrLmLP+GTVdf3MJquifWC4bLlksxJ84N5WGRpdTmRqUGQ J1MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=; b=X5vvzYvX1/WUAqIYS1TH1MmT86fUoIgQKkoCZhD7hRNtrcRQfKvcWSkIYw9KHvtPnd pp0drLAG6AWw9j6KK1pcUnIfVs4/6UDW8K2EzClq0NXlmpu0Z8JVOpvpX1+KxG7SeP0a UPwMmi4SWz59ZfPYq46ZtNU5DyTVUbG3W04wb5qqKJqOfkmNYAKwqhgSFaj/PjSIRzhy Ia1qwFJ4Qy9e1pF6NkxElnbzJ5ct6bNp12oGpIs0hlpyN20BGL+jSNX1RfJYqJ/ND7/b DIILlmnaJpkjwxQ/FD1KQK35IQuvFZB0IitoYdJVdoUbT4cFXLE4aMxXPSCyluLRKCyQ w5BA== X-Gm-Message-State: APjAAAXuQ9SJBEuhWdqOX2xe3aeDvpAj0Cj4hM2nme+sI4ojL4ORrMyR eifPiMWy0WSNF2eKPRZfY3Q02SRC9CwHZYJx79h4iQ== X-Received: by 2002:a9d:6c58:: with SMTP id g24mr1304166otq.10.1551395586760; Thu, 28 Feb 2019 15:13:06 -0800 (PST) Date: Thu, 28 Feb 2019 15:12:00 -0800 In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com> Message-Id: <20190228231203.212359-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190228231203.212359-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 8577bb7f8be6..e78dbe5473c9 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2593,6 +2593,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err; -- 2.21.0.352.gf09ad66450-goog