Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3663084img; Mon, 25 Mar 2019 15:12:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqzk9BBNK0uwSaJ6kP0b/L0A7OIkK27lL2Y8+3moeH2iFu7/bOUc1dH3QRjx1ni7QBo0xLoN X-Received: by 2002:a17:902:b58f:: with SMTP id a15mr13629238pls.36.1553551948738; Mon, 25 Mar 2019 15:12:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553551948; cv=none; d=google.com; s=arc-20160816; b=QXRZ33CKp65B0yOZNSzN5Tnf4zg+8TrGH3ncZ3xn90loQ0jMdE1KKPA0jwCdM+pceU OnaFKaUz3eUXYvsECCalH6miL2sQc/CcqvX8sj/jWckFe/J6BxYV2672nzVzqz1szdVZ El6ybKvvsA+PVD+pJDPuEduGUk14xUff3Fl3lFvSWl28Bt+Vhdmdkt6yioaHJsv5e8pO iQfK5qXBbnArg4JhQR0bzIQfF51a70tcCKH53F0nEBV5aZp/0hwwPkrBxC1cpvFmo7h6 +cxTQXZjB1X1UOl5xzYv/S0ENFOUIAUeorYMtujDbEaf92ycXDdY10UnB8C9M0YXnc3s bZ0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=; b=dMcweQ09a0GfvMErsXgbeNP/JrTbUt9SEIchT4cnVvcNP4QyT66du804p4vpFHWqv4 +JNbBRKZdaxQ3aeE/w7Awk7tb8IzULhUkJtkTN23L3Vz5uTqkRXRlgUJa8Urbeh94NkD h+rrh/DsBv0Hk+vxGq3/M1qUrsHhe3hucFfSSXZSbeaHIN+oOjzvsTy2ThFwQlZjwMRn OQEOXjJiwYeo0KIr1dejrO1v/Z3BGMBFYPPhJzfj8JA57Unbma+d8NBpdRldykGQumJj iNRyPtQszOmRx7SQV1oIFeW0cbZEnCfvNC9hUdf1S+ow3ZqGljbBNLnhpANIV3KkxObp +/PQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PPz0adFx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t3si14154252pgc.307.2019.03.25.15.12.13; Mon, 25 Mar 2019 15:12:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PPz0adFx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731249AbfCYWLI (ORCPT + 99 others); Mon, 25 Mar 2019 18:11:08 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:45294 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731193AbfCYWK7 (ORCPT ); Mon, 25 Mar 2019 18:10:59 -0400 Received: by mail-qt1-f201.google.com with SMTP id 35so11659634qty.12 for ; Mon, 25 Mar 2019 15:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=; b=PPz0adFxRnIhJCiW1dvfFqZx3Mh9sgICPD1y8AZBgFx6LZXJkci0PCoGUL8wjSX9Nf h9asMewLvjeCYovlpTTwhQOEiG6aj2hc7hSDk4/IyhhwBSgqpWj3QlDSdNTvpbzB3N7R 0ZtDDUJvNzb8GbuWfO50FjRp1onycdASeX1OQbR43J99LKeo4zmSIFVAZ5J+S0fB6pXS JvAGxNN//FwYcAzUadWvCWpGZqLyZWvKF+qcQhXQNV3TvpGOhhevmSCp9YYif/rOohlQ /uxJMY7Na89Y/BRUx+mkD27bASvozs3tqRTBlVkKf8hSPVvLh4RkgJnnqL0VSacDBbvA r61A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=; b=pQMw6Ayi2gD0rpj2q8vAHErdtgV0SwjmPnDOjQQVH/q6IEA9l8ZWAG0efDkqzeGMBN n6hnq1VxbhALDXWyigkNxcA4UCE4J1ODA0D1CoV4P8os6nSSraD/xfyFL9l9vl5IJ3ra hMWvfPmHnYV+LX//c1fLYrlY9fyhNNl9bUjp0H65GBO/YUS06yoROaxmEpG88ZiZOs8e 1+v/e+UwwDaOhjcdyxnGQc2a11w7VEHiauUP34RvtlUYCiYNOwNrFuxZQC014Leml8cs I857IXxxQa6EZLmtdC8K+/oW6Rf+ajX9UZmFmMLKXmrg7vATmxKLU/Q2fTEDWV8BFV6l j7Bg== X-Gm-Message-State: APjAAAVf1Jnp1AwG/sVMgZ91bNZjVvKMorsiQ6Ovay6n9kjGOFk+lYCo z7KnI9Fm2viVtuJEQQO+VseuOwD3FMqi/Pgo1BKpBw== X-Received: by 2002:a05:620a:1383:: with SMTP id k3mr13843472qki.346.1553551858792; Mon, 25 Mar 2019 15:10:58 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:50 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Alexei Starovoitov , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann , Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann Signed-off-by: Matthew Garrett --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index b155cd17c1bd..2cde39a875aa 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err; -- 2.21.0.392.gf8f6787159e-goog