Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4528160imb; Wed, 6 Mar 2019 16:02:41 -0800 (PST) X-Google-Smtp-Source: APXvYqysWAso4N0OGMuWFSS2DcvOWQLt/1GqSpcF22zzh7ARc3kYRrzIClVc8VNaK87cy5ODSgR0 X-Received: by 2002:a62:1706:: with SMTP id 6mr9767658pfx.28.1551916961547; Wed, 06 Mar 2019 16:02:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551916961; cv=none; d=google.com; s=arc-20160816; b=whEL9K0cfO/8DiFcUkhOC/5n1TuASH3JHSokLB3iHnyjL+IZtBH3MuUuwHbD/kJ8PR RI8DrXKfsycFWALHxN5KEMR6OUwPDSYsPcI+52qWL7n+umNrCWnvrPd+t2bDsBfkIYwG 8LmdYw85ZqdPnQRRIRwcoflmGWFuPSnU3HijRxNENpP/agNaEHHg8cEdzyA6/mkge4Qx OJCPvG0qMnzS4c3wWt/xLCDNCDr9/GjJovrPGx5rVBqTkEI35VpzDQK+QJGLOWJYSydo Ja52WJX0hjHYYNftTuTNnkOwXGJcPexiKUVUwEZWe/ZG6g+ZlU0crrgipSL3wu/N7+uC BhVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=q6GDvRzzqJ3B5qJkvllHotglBKQhGGP0snG7GKJPXnw=; b=SVCHbQ/3O18qSw+ZimIb/asZIzFsyKp+xwosoDOwBT5ynCGGocmRiHc7DYJLZblAkM bHZ/Mo2G4SKXkzNmgHb/X7QyJdN+SAXtrRaWxpcNe72LXstw5g7dEGwZ8iXUK+mFP/3C ZAqOol8R0dhStwVQjpb6R9G7JmzqqZSzaspoKyz08PF3no24gcpUsU0VjOTozJtMdiCW REGxZMdstUv5En2G39oU3omUmc9aOm1kk6Hr285trp4Fl8e27fbQGRAqlXrSBSWhg92W 8sQkpZbeNkozh0L9VhjZY/V36/AxVnjP2pM0obnmBihg7lcmt3bqs9nRPc3jQONxp8MI AeBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZYZ2dcvF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t11si2705270plq.264.2019.03.06.16.02.26; Wed, 06 Mar 2019 16:02:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZYZ2dcvF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726727AbfCGAAd (ORCPT + 99 others); Wed, 6 Mar 2019 19:00:33 -0500 Received: from mail-qt1-f201.google.com ([209.85.160.201]:47295 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726718AbfCGAAc (ORCPT ); Wed, 6 Mar 2019 19:00:32 -0500 Received: by mail-qt1-f201.google.com with SMTP id m34so13503670qtb.14 for ; Wed, 06 Mar 2019 16:00:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=q6GDvRzzqJ3B5qJkvllHotglBKQhGGP0snG7GKJPXnw=; b=ZYZ2dcvFODLgDGpfqBJrUFSMC14W0zW/v9LGNR5tj/HLP32OYfhhxK+Qk2jWmzBhHh fD0lWZtBnBa8FU0tBiHQdUkFOSuMpN8OnDKhOgnSSwokIumQ5B1rAic14XtmbxwoKcp0 T/DAeLDBpCvbG392L0WuUZqkzrMF54pbJzA4/5HyQiIKhtn/3CPk0U2n1QTbX7EG99E7 BHQlX6U3dWAlMz6NWe/h4qEydE2ivUwg/Knf81MCzgaTOpRvylWBO+KNfut/iscvFkh6 06NUxz9LG8t4XjkO06JTu6xKFZiA0RzmvHpKsWctGwnhpyW7KBo28Jccu01eLCyVQ2kY nNIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=q6GDvRzzqJ3B5qJkvllHotglBKQhGGP0snG7GKJPXnw=; b=nRjf011rMkmRRCwuS7GR4sNlVJwPJC9cHXIsMNJ50aC4zJlGsB4Lgl/e5++MCXCBES sw5Cv/0UjFC0vD7oXHL4FcZKSNvPmMxqCZX4BEPvF1qmw+QMq6A5oF6XoSLb6JZVSj10 ThigFkYsWFq8lq/PnTgKApNWB22/PvYgpuIgdVlubgFa4V7RKuyV9z5vazWzQ18RcaSy UTJT6ZpqGTwj+nDUh7UCMK22cBn8Fj4U5TisZMp1uNNBoz6xSaqV/vyxSWC6dRwVH86a 8CCfX+c7YYphqdBGcC9acyOe8xePlFlfNToIPxvsOTAVx0a0z1ekEoZQDrdHB7WEGGwl 45Gg== X-Gm-Message-State: APjAAAX/ZukzIW3KZCx6vLTTrjD8dOF/Z/azcA3OewCIqTGc3dFcNozH rSFoKhYhyNYzPUkrL9ydR+vWlV3OJQxIjJp4bkE6qA== X-Received: by 2002:a0c:d238:: with SMTP id m53mr6292264qvh.30.1551916831188; Wed, 06 Mar 2019 16:00:31 -0800 (PST) Date: Wed, 6 Mar 2019 15:59:10 -0800 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> Message-Id: <20190306235913.6631-25-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190306235913.6631-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Signed-off-by: Matthew Garrett --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b155cd17c1bd..2cde39a875aa 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err; -- 2.21.0.352.gf09ad66450-goog