Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3663084img;
        Mon, 25 Mar 2019 15:12:28 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzk9BBNK0uwSaJ6kP0b/L0A7OIkK27lL2Y8+3moeH2iFu7/bOUc1dH3QRjx1ni7QBo0xLoN
X-Received: by 2002:a17:902:b58f:: with SMTP id a15mr13629238pls.36.1553551948738;
        Mon, 25 Mar 2019 15:12:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553551948; cv=none;
        d=google.com; s=arc-20160816;
        b=QXRZ33CKp65B0yOZNSzN5Tnf4zg+8TrGH3ncZ3xn90loQ0jMdE1KKPA0jwCdM+pceU
         OnaFKaUz3eUXYvsECCalH6miL2sQc/CcqvX8sj/jWckFe/J6BxYV2672nzVzqz1szdVZ
         El6ybKvvsA+PVD+pJDPuEduGUk14xUff3Fl3lFvSWl28Bt+Vhdmdkt6yioaHJsv5e8pO
         iQfK5qXBbnArg4JhQR0bzIQfF51a70tcCKH53F0nEBV5aZp/0hwwPkrBxC1cpvFmo7h6
         +cxTQXZjB1X1UOl5xzYv/S0ENFOUIAUeorYMtujDbEaf92ycXDdY10UnB8C9M0YXnc3s
         bZ0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=;
        b=dMcweQ09a0GfvMErsXgbeNP/JrTbUt9SEIchT4cnVvcNP4QyT66du804p4vpFHWqv4
         +JNbBRKZdaxQ3aeE/w7Awk7tb8IzULhUkJtkTN23L3Vz5uTqkRXRlgUJa8Urbeh94NkD
         h+rrh/DsBv0Hk+vxGq3/M1qUrsHhe3hucFfSSXZSbeaHIN+oOjzvsTy2ThFwQlZjwMRn
         OQEOXjJiwYeo0KIr1dejrO1v/Z3BGMBFYPPhJzfj8JA57Unbma+d8NBpdRldykGQumJj
         iNRyPtQszOmRx7SQV1oIFeW0cbZEnCfvNC9hUdf1S+ow3ZqGljbBNLnhpANIV3KkxObp
         +/PQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=PPz0adFx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t3si14154252pgc.307.2019.03.25.15.12.13;
        Mon, 25 Mar 2019 15:12:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=PPz0adFx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731249AbfCYWLI (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Mon, 25 Mar 2019 18:11:08 -0400
Received: from mail-qt1-f201.google.com ([209.85.160.201]:45294 "EHLO
        mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731193AbfCYWK7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Mar 2019 18:10:59 -0400
Received: by mail-qt1-f201.google.com with SMTP id 35so11659634qty.12
        for <linux-kernel@vger.kernel.org>; Mon, 25 Mar 2019 15:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=;
        b=PPz0adFxRnIhJCiW1dvfFqZx3Mh9sgICPD1y8AZBgFx6LZXJkci0PCoGUL8wjSX9Nf
         h9asMewLvjeCYovlpTTwhQOEiG6aj2hc7hSDk4/IyhhwBSgqpWj3QlDSdNTvpbzB3N7R
         0ZtDDUJvNzb8GbuWfO50FjRp1onycdASeX1OQbR43J99LKeo4zmSIFVAZ5J+S0fB6pXS
         JvAGxNN//FwYcAzUadWvCWpGZqLyZWvKF+qcQhXQNV3TvpGOhhevmSCp9YYif/rOohlQ
         /uxJMY7Na89Y/BRUx+mkD27bASvozs3tqRTBlVkKf8hSPVvLh4RkgJnnqL0VSacDBbvA
         r61A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=;
        b=pQMw6Ayi2gD0rpj2q8vAHErdtgV0SwjmPnDOjQQVH/q6IEA9l8ZWAG0efDkqzeGMBN
         n6hnq1VxbhALDXWyigkNxcA4UCE4J1ODA0D1CoV4P8os6nSSraD/xfyFL9l9vl5IJ3ra
         hMWvfPmHnYV+LX//c1fLYrlY9fyhNNl9bUjp0H65GBO/YUS06yoROaxmEpG88ZiZOs8e
         1+v/e+UwwDaOhjcdyxnGQc2a11w7VEHiauUP34RvtlUYCiYNOwNrFuxZQC014Leml8cs
         I857IXxxQa6EZLmtdC8K+/oW6Rf+ajX9UZmFmMLKXmrg7vATmxKLU/Q2fTEDWV8BFV6l
         j7Bg==
X-Gm-Message-State: APjAAAVf1Jnp1AwG/sVMgZ91bNZjVvKMorsiQ6Ovay6n9kjGOFk+lYCo
        z7KnI9Fm2viVtuJEQQO+VseuOwD3FMqi/Pgo1BKpBw==
X-Received: by 2002:a05:620a:1383:: with SMTP id k3mr13843472qki.346.1553551858792;
 Mon, 25 Mar 2019 15:10:58 -0700 (PDT)
Date:   Mon, 25 Mar 2019 15:09:50 -0700
In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com>
Message-Id: <20190325220954.29054-24-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190325220954.29054-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH 23/27] bpf: Restrict kernel image access functions when the
 kernel is locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        netdev@vger.kernel.org, Chun-Yi Lee <jlee@suse.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Matthew Garrett <matthewgarrett@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/bpf/syscall.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b155cd17c1bd..2cde39a875aa 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	if (kernel_is_locked_down("BPF"))
+		return -EPERM;
+
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
 	if (err)
 		return err;
-- 
2.21.0.392.gf8f6787159e-goog